Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Self-Signed Digital Certificates

Learn about the self-signed digital certificate and find out how to manage the self-signed digital certificate.

A self-signed certificate is a certificate that is signed by the same entity who created it rather than by a Certificate Authority (CA). Junos OS provides two methods for generating a self-signed certificate - automatic generation and manual generation.

Self-Signed Certificates

A self-signed certificate is a certificate that is signed by its creator rather than by a Certificate Authority (CA).

Self-signed certificates allow for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.

Self-signed certificates do not provide additional security as do those generated by CAs. This is because a client cannot verify that the server connected to is the one advertised in the certificate.

Junos OS provides two methods for generating a self-signed certificate:

  • Automatic generation

    In this case, the creator of the certificate is the Juniper Networks device. An automatically generated self-signed certificate is configured on the device by default.

    After the device is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the device generates one and saves it in the file system.

  • Manual generation

    In this case, you create the self-signed certificate for the device.

    At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.

Self-signed certificates are valid for five years from the time they were generated.

An automatically generated self-signed certificate allows for use of SSL-based services without requiring that the administrator obtain an identity certificate signed by a CA.

A self-signed certificate that is automatically generated by the device is similar to a Secure Shell (SSH) host key. It is stored in the file system, not as part of the configuration. It persists when the device is rebooted, and it is preserved when a request system snapshot command is issued.

A self-signed certificate that you manually generate allows for use of SSL-based services without requiring that you obtain an identity certificate signed by a CA. A manually generated self-signed certificate is one example of a public key infrastructure (PKI) local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.

Example: Generate a Public-Private Key Pair

This example shows how to generate a public-private key pair.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you generate a public-private key pair named self-cert.

Configuration

Procedure

Step-by-Step Procedure

To generate a public-private key pair:

  • Create a certificate key pair.

Verification

After the public-private key pair is generated, the Juniper Networks device displays the following:

Example: Manually Generate Self-Signed Certificates

This example shows how to generate self-signed certificates manually.

Requirements

Before you begin, generate a public private key pair. See Digital Certificates.

Overview

For a manually generated self-signed certificate, you specify the distinguished name (DN) when you create it. For an automatically generated self-signed certificate, the system supplies the DN, identifying itself as the creator.

In this example, you generate a self-signed certificate with the e-mail address as mholmes@example.net. You specify a certificate-id of self-cert to be referenced by web management.

Configuration

Procedure

Step-by-Step Procedure

To generate the self-signed certificate manually, enter the following command in operational mode:

To specify the manually generated self-signed certificate for Web management HTTPS services, enter the following command in configuration mode:

Verification

To verify the certificate is properly generated and loaded, enter the following command in operational mode:

Notice the Certificate identifier information for Issued to, validity, algorithm, and keypair location details in the displayed output.

To verify the certificate that is associated with the web management, enter the following command in configuration mode:

Using Automatically Generated Self-Signed Certificates (CLI Procedure)

After the device is initialized, it checks for the presence of a self-signed certificate. If a self-signed certificate is not present, the device automatically generates one. If the device is rebooted, a self-signed certificate is automatically generated at boot time.

To check the system-generated certificate, run the following command in operational mode:

Notice the Certificate identifier details in the output. It displays the following details distinguished name (DN) for the automatically generated certificate:

  • CN = device serial number

  • CN = system generated

  • CN = self-signed

Use the following command in configuration mode to specify the automatically generated self-signed certificate to be used for Web management HTTPS services:

Use the following operational command to delete the automatically generated self-signed certificate:

After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.