Self-Signed Digital Certificates
Learn about the self-signed digital certificate and find out how to manage the self-signed digital certificate.
A self-signed certificate is a certificate that is signed by the same entity who created it rather than by a Certificate Authority (CA). Junos OS provides two methods for generating a self-signed certificate - automatic generation and manual generation.
Self-Signed Certificates
A self-signed certificate is a certificate that is signed by its creator rather than by a Certificate Authority (CA).
Self-signed certificates allow for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.
Self-signed certificates do not provide additional security as do those generated by CAs. This is because a client cannot verify that the server connected to is the one advertised in the certificate.
Junos OS provides two methods for generating a self-signed certificate:
-
Automatic generation
In this case, the creator of the certificate is the Juniper Networks device. An automatically generated self-signed certificate is configured on the device by default.
After the device is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the device generates one and saves it in the file system.
-
Manual generation
In this case, you create the self-signed certificate for the device.
At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.
Self-signed certificates are valid for five years from the time they were generated.
An automatically generated self-signed certificate allows for use of SSL-based services without requiring that the administrator obtain an identity certificate signed by a CA.
A self-signed certificate that is automatically generated by the device is similar to a
Secure Shell (SSH) host key. It is stored in the file system, not as part of the
configuration. It persists when the device is rebooted, and it is preserved when a
request system snapshot
command is issued.
A self-signed certificate that you manually generate allows for use of SSL-based services without requiring that you obtain an identity certificate signed by a CA. A manually generated self-signed certificate is one example of a public key infrastructure (PKI) local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.
Example: Generate a Public-Private Key Pair
This example shows how to generate a public-private key pair.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you generate a public-private key pair named self-cert.
Configuration
Procedure
Step-by-Step Procedure
To generate a public-private key pair:
-
Create a certificate key pair.
user@host> request security pki generate-key-pair certificate-id self-cert
Verification
After the public-private key pair is generated, the Juniper Networks device displays the following:
generated key pair ca-ipsec, key size 1024 bits
Example: Manually Generate Self-Signed Certificates
This example shows how to generate self-signed certificates manually.
Requirements
Before you begin, generate a public private key pair. See Digital Certificates.
Overview
For a manually generated self-signed certificate, you specify the distinguished name (DN) when you create it. For an automatically generated self-signed certificate, the system supplies the DN, identifying itself as the creator.
In this example, you generate a self-signed certificate with the e-mail address as
mholmes@example.net
. You specify a certificate-id of
self-cert to be referenced by web management.
Configuration
Procedure
Step-by-Step Procedure
To generate the self-signed certificate manually, enter the following command in operational mode:
user@host> request security pki local-certificate generate-self-signed certificate-id self-cert subject CN=abc domain-name example.net ip-address 1.2.3.4 email mholmes@example.net
To specify the manually generated self-signed certificate for Web management HTTPS services, enter the following command in configuration mode:
[edit] user@host# set system services web-management https local-certificate self-cert
Verification
To verify the certificate is properly generated and loaded, enter the following command in operational mode:
user@host> show security pki local-certificate
Notice the Certificate identifier
information for Issued
to
, validity
, algorithm
, and
keypair location
details in the displayed output.
To verify the certificate that is associated with the web management, enter the following command in configuration mode:
user@host# show system services web-management https local-certificate
Using Automatically Generated Self-Signed Certificates (CLI Procedure)
After the device is initialized, it checks for the presence of a self-signed certificate. If a self-signed certificate is not present, the device automatically generates one. If the device is rebooted, a self-signed certificate is automatically generated at boot time.
To check the system-generated certificate, run the following command in operational mode:
user@host> show security pki local-certificate system-generated
Notice the Certificate identifier
details in the output. It displays
the following details distinguished name (DN) for the automatically generated
certificate:
-
CN = device serial number
-
CN = system generated
-
CN = self-signed
Use the following command in configuration mode to specify the automatically generated self-signed certificate to be used for Web management HTTPS services:
[edit] user@host# set system services web-management https system-generated-certificate
Use the following operational command to delete the automatically generated self-signed certificate:
user@host# exit user@host> clear security pki local-certificate system-generated
After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.