Self-Signed Digital Certificates
A self-signed certificate is a certificate that is signed by the same entity who created it rather than by a Certificate Authority (CA). Junos OS provides two methods for generating a self-signed certificate - automatic generation and manual generation.
Understanding Self-Signed Certificates
A self-signed certificate is a certificate that is signed by its creator rather than by a Certificate Authority (CA).
Self-signed certificates allow for use of SSL-based (Secure Sockets Layer) services without requiring that the user or administrator to undertake the considerable task of obtaining an identity certificate signed by a CA.
Self-signed certificates do not provide additional security as do those generated by CAs. This is because a client cannot verify that the server connected to is the one advertised in the certificate.
Junos OS provides two methods for generating a self-signed certificate:
Automatic generation
In this case, the creator of the certificate is the Juniper Networks device. An automatically generated self-signed certificate is configured on the device by default.
After the device is initialized, it checks for the presence of an automatically generated self-signed certificate. If it does not find one, the device generates one and saves it in the file system.
Manual generation
In this case, you create the self-signed certificate for the device.
At any time, you can use the CLI to generate a self-signed certificate. These certificates are also used to gain access to SSL services.
Self-signed certificates are valid for five years from the time they were generated.
An automatically generated self-signed certificate allows for use of SSL-based services without requiring that the administrator obtain an identity certificate signed by a CA.
A self-signed certificate that is automatically
generated by the device is similar to a Secure Shell (SSH) host key.
It is stored in the file system, not as part of the configuration.
It persists when the device is rebooted, and it is preserved when
a request system snapshot command is issued.
A self-signed certificate that you manually generate allows for use of SSL-based services without requiring that you obtain an identity certificate signed by a CA. A manually generated self-signed certificate is one example of a public key infrastructure (PKI) local certificate. As is true of all PKI local certificates, manually generated self-signed certificates are stored in the file system.
See Also
Example: Generating a Public-Private Key Pair
This example shows how to generate a public-private key pair.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you generate a public-private key pair named self-cert.
Configuration
Procedure
Step-by-Step Procedure
To generate a public-private key pair:
Create a certificate key pair.
user@host> request security pki generate-key-pair certificate-id self-cert
Verification
After the public-private key pair is generated, the Juniper Networks device displays the following:
generated key pair ca-ipsec, key size 1024 bits
Example: Manually Generating Self-Signed Certificates
This example shows how to generate self-signed certificates manually.
Requirements
Before you begin, generate a public private key pair. See Digital Certificates.
Overview
For a manually generated self-signed certificate, you specify the distinguished name (DN) when you create it. For an automatically generated self-signed certificate, the system supplies the DN, identifying itself as the creator.
In this example, you generate a self-signed certificate with the e-mail address as
mholmes@example.net. You specify a certificate-id of
self-cert
to be referenced by web
management.
Configuration
Procedure
Step-by-Step Procedure
To generate the self-signed certificate manually, enter the following command in operational mode:
user@host> request security pki local-certificate generate-self-signed certificate-id self-cert subject CN=abc domain-name example.net ip-address 1.2.3.4 email mholmes@example.net
To specify the manually generated self-signed certificate for Web management HTTPS services, enter the following command in configuration mode:
[edit] user@host# set system services web-management https local-certificate self-cert
Verification
To verify the certificate is properly generated and loaded, enter the following command in operational mode:
user@host> show security pki local-certificate
Notice the Certificate identifier information for Issued
to, validity, algorithm, and
keypair location details in the displayed output.
To verify the certificate that is associated with the web management, enter the following command in configuration mode:
user@host# show system services web-management https local-certificate
Using Automatically Generated Self-Signed Certificates (CLI Procedure)
After the device is initialized, it checks for the presence of a self-signed certificate. If a self-signed certificate is not present, the device automatically generates one. If the device is rebooted, a self-signed certificate is automatically generated at boot time.
To check the system-generated certificate, run the following command in operational mode:
user@host> show security pki local-certificate system-generated
Notice the Certificate identifier details in the output. It displays
the following details distinguished name (DN) for the automatically generated
certificate:
-
CN = device serial number -
CN = system generated -
CN = self-signed
Use the following command in configuration mode to specify the automatically generated self-signed certificate to be used for Web management HTTPS services:
[edit] user@host# set system services web-management https system-generated-certificate
Use the following operational command to delete the automatically generated self-signed certificate:
user@host# exit user@host> clear security pki local-certificate system-generated
After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.