SUMMARY The Juniper Apstra Edge connects to Juniper Apstra Cloud Services using the management
URL provided during the Juniper Apstra Cloud Services onboarding process. This management URL is
configured with an IP address, but the default SSL cert configured in Juniper Apstra's Nginx
controller only lists DNS:apstra.com as the Subject Alternative Name (SAN). Use
these steps to generate a new SSL cert with a SAN containing a Juniper Apstra management IP.
To replace the SSL cert of Juniper Apstra's Nginx
controller:
-
Follow the steps in the following link to replace certs in Juniper Apstra Replace SSL Certificate on Apstra Server with Self-Signed
One.
Note:
During Step 3, add an extra SAN name with the desired management IP. The following
command creates a cert with a validity of 3 years. Replace -days
based on your time requirement.
root@user:~# cd /etc/aos/nginx.conf.d/
root@user:/etc/aos/nginx.conf.d# openssl req -newkey rsa:2048 -nodes -keyout nginx.key -x509 -days 1095 -out
nginx.crt -addext extendedKeyUsage=serverAuth -addext
subjectAltName=DNS:apstra.com,IP:<ip-of-apstra>
Note:
To check the new cert, use the following command:
root@user:/etc/aos/nginx.conf.d# openssl x509 -in nginx.crt -text -noout
-
Generate a new CA cert.
root@user:/etc/aos/nginx.conf.d# openssl x509 -in nginx.crt -inform PEM -outform PEM -out <ip-of-apstra>_ca.cert.pem -days 1095
-
Copy the generated CA cert into the host directory where you plan to install the
Juniper Apstra Edge container.
cp /tmp/<ip-of-apstra>_ca.cert.pem /etc/ssl/certs
-
Continue with Step 7 of the Juniper Apstra Edge
Container Deployment process.
