Certificate Management Overview
Typically, users gain access to resources from an application or system on the basis of their username and password. You can also use certificates to authenticate and authorize sessions among various servers and users. Certificate-based authentication over a Secure Sockets Layer (SSL) connection is the most secure type of authentication. The certificates can be stored on a smart card, a USB token, or a computer’s hard drive. Users typically swipe their smart card to log in to the system without entering their username and password.
Junos Space Network Management Platform is shipped with the default password-based authentication mode. Administrators can use the default credentials to log in to Junos Space Platform. Junos Space Platform allows you to use certificate-based authentication and from Junos Space Network Management Platform Release 15.2R1 onward, X.509 parameter-based authentication as well, to authenticate users. These authentication modes can be configured from the User section on the Modify Application Settings page in the Administration workspace.
By default, Junos Space Platform uses a self-signed SSL certificate. However, if you need to use your own custom certificate, you can upload your custom certificate in the X.509 or PKCS#12 format. With the complete certificate validation mode, the entire X.509 certificate is validated during the login process and you must upload user certificates for all users.
During X.509 parameter-based authentication, you can specify up to four X.509 certificate parameters per user that are validated during the login process. With the X.509 parameter-based authentication, you can avoid uploading certificates for new users to Junos Space Platform. Junos Space Platform extracts the values of the parameters for existing users from the certificates loaded when the users were created. You can define the X.509 certificate parameters in the X509-Certificate-Parameters section on the Modify Application Settings page in the Administration workspace.
Only one authentication mode is supported at a time and all users are authenticated using the selected authentication mode.
See the following sections for information about workflow for authentication modes, custom Junos Space server certificates, user certificates, certificate authority (CA) certificates, certificate revocation lists (CRL), and certificate expiry and invalidity conditions on Junos Space Platform.
Authentication Modes Workflow
The steps in establishing an SSL connection for the different modes of authentication are as follows:
Username and password–based authentication:
A client requests access to the Junos Space server.
The Junos Space server presents its certificate to the client.
The client verifies the server’s certificate.
If the verification of the certificate is successful, then the client sends its username and password to the server.
The server verifies the credentials of the client.
If the verification is successful, then the server grants access to the protected resource requested by the client.
Certificate-based authentication:
A client requests access to the Junos Space server.
The Junos Space server presents its certificate to the client.
The client verifies the server’s certificate.
If the verification of the certificate is successful, then the client sends its certificate to the server.
The server verifies the client’s certificate.
If the verification is successful, then the server grants access to the protected resource requested by the client.
If the verification is unsuccessful, Junos Space Platform displays a login failure page to the user.
X509 certificate parameter–based authentication:
A client requests access to the Junos Space server.
The Junos Space server presents its X.509 certificate to the client.
The client verifies the server’s X.509 certificate.
If the verification of the certificate is successful, then the client sends its certificate to the server.
The server extracts the specified values from the client’s X.509 certificate and validates the values with those in the Junos Space Platform database.
If the verification is successful, then the server grants access to the protected resource requested by the client.
If the verification is unsuccessful, Junos Space Platform displays a login failure page to the user.
When using complete certificate-based or certificate parameter–based authentication, the session is terminated if the smart or secure card (containing the certificate and the private key) that is used for logging in is unplugged or removed from the client system.
Custom Junos Space Server Certificates
By default, Junos Space Network Management Platform uses a self-signed SSL certificate. However, if you need to use your own custom certificate, go to Administration > Platform Certificate page and upload your custom X.509 or PKCS#12 certificate on the Platform Certificate page.
X.509 is a widely used standard for defining digital certificates. Typically, in X.509, the certificate and the key are stored separately. The private key can be either encrypted or unencrypted. Although a passphrase is optional, it is required if the private key is encrypted.
The Personal Information Exchange Syntax Standard (PKCS) #12 format is a widely used format for digital certificates in the Windows operating system. This standard specifies a portable format for storing or transporting a user's private keys, certificates, and passphrases in one encryptable file.
For instructions to upload your custom certificate, see Installing a Custom SSL Certificate on the Junos Space Server.
Certificate Attributes
Table 1 lists the attributes that you commonly see in a certificate.
Certificate Attribute |
Description |
---|---|
|
“OID.1.2.840.113549.1.9.1” is the ASN.1 object identifier used to identify this signature algorithm. “user1@10.205.57.195” is the e-mail address of the certificate owner. |
|
Common name of the certificate owner |
|
Name of the organizational unit to which the certificate owner belongs For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Organization to which the certificate owner belongs For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate owner’s location For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate owner’s state of residence For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate owner’s country of residence For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
“OID.1.2.840.113549.1.9.1” is the ASN.1 object identifier used to identify this signature algorithm. “user1@10.205.57.195” is the e-mail address of issuer. |
|
Common name of the certificate issuer It is the IP address of the system. The common name (CN) must match the hostname of the issuer of this certificate. In general, it should be the hostname of issuer. |
|
Name of the organizational unit to which the certificate issuer belongs For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Organization to which the certificate issuer belongs For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate issuer’s location For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate issuer’s state of residence For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Certificate issuer’s country of residence For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks contains “ |
|
Algorithm used by the Certificate Authority to sign the certificate For example, the Junos Space Network Management Platform SSL
certificate signed by Juniper Networks can contain “ |
|
Certificate's serial number |
|
Date at which the certificate becomes valid |
|
Date at which the certificate becomes invalid |
User Certificates
If you use certificate-based authentication mode, then for each user you need to upload the corresponding certificate for the Junos Space server to authenticate the user. You can associate a certificate with a user when you create the user or by modifying the user settings. To associate a certificate with an existing user, go to Role Based Access Control > User Accounts > Select a user > Modify User page.
For instructions to upload a user certificate, refer to Uploading a User Certificate.
CA Certificates and CRLs
A certification authority (CA) certificate or the root certificate is used to verify a user certificate. The private key of the root certificate is used to sign the user certificates, which then inherit the trustworthiness of the root certificate.
A certificate revocation list (CRL), which is maintained by a CA, is a list of certificates that were issued and revoked by that CA before their scheduled expiration date, along with the reasons for revocation. A CA may revoke a certificate for various reasons, such as the user specified in the certificate may no longer have the authority to use the key, the key specified in the certificate might have been compromised, another certificate is replacing the current certificate, and so on.
For instructions to upload CA certificates or CRLs, refer to Uploading a CA Certificate and Certificate Revocation List.
Changing the User Authentication Mode
You can change the authentication mode from username and password-based to certificate-based or X.509 certificate parameter–based from the Junos Space user interface or from the CLI of the VIP node. You must upload the certification authority (CA) certificates and the personal or user certificates (the Junos Space server certificate is optional) to the Junos Space server before changing the authentication mode. Junos Space Platform verifies all certificates before they are uploaded. Invalid or badly formed certificates are not uploaded.
When the authentication mode is changed, all existing user sessions, except that of the current administrator who is changing the authentication mode, are automatically terminated and the users are forced to log out. You need not restart Junos Space Platform when you switch from one authentication mode to another.
For instructions to change authentication modes, refer to Changing User Authentication Modes.
Certificate Expiry
When the X.509 Junos Space server certificate is scheduled to
expire within 30 days from the current date, Junos Space Platform
displays a warning message every time the administrator logs in. For
example:Your platform certificate is
going to expire on May 24, 2015. Space will automatically use default
certificate if your certificate will expire within 1 day. Change platform
certificate using "Administration > Platform Certificate" page. Would
you like to change it now?
As an administrator, perform one of the following actions:
Upload a new certificate—Select Administration > Platform Certificate and upload the certificate from the Upload Certificate area. Junos Space Platform deletes the old user certificate and starts using the newly uploaded certificate.
Use the default certificate—Select Administration > Platform Certificate and click Use Default Certificate in the Current Platform Certificate area.
When the X.509 Junos Space server certificate is scheduled to expire in a day, Junos Space Platform starts using the default self-signed certificate. The self-signed Junos Space Platform SSL certificate created during installation has a five-year validity.
When a user certificate is scheduled to expire within 30 days from the current date, Junos Space Platform displays a warning message if the user has logged in using the certification-based authentication mode. For more information, refer to Uploading a User Certificate.
Invalid User Certificates
A user certificate could become invalid for the following reasons:
Certificate is expired.
Certificate expires within a day.
Certificate will be valid only later.
Certificate does not match the private key.
Certificate or private key file is broken.
Same certificate exists in the Junos Space server.
If a user tries to log in with an invalid or expired certificate,
Junos Space Platform displays a login failure page with the following
error message: No user mapped for this certificate
.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.