Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Juniper Security Director® is the next generation on-premises security management product for SRX Series Firewalls and vSRX. For more details, visit Juniper Security Director documentation page or contact your sales team.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos Space Security Director Junos Space Security Director User Guide Configure Configuring Policy Enforcer Settings and Connectors

Junos Space Security Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos Space Security Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configure Certificate-Based Authentication in Policy Enforcer

date_range 07-Jan-25
arrow_backward
arrow_forward

Users typically gain access to resources from an application or system on the basis of their username and password. You can also use certificates to authenticate and authorize sessions among various servers and users. Only one authentication mode is supported at a time and all users are authenticated using the selected authentication mode. In this use case, you’ll learn how to configure certificate-based authentication for a Policy Enforcer user.

Benefits

Certificate-based authentication over a Secure Sockets Layer (SSL) connection is the most secure type of authentication.

Before You Begin

Note:

Only mandatory fields and other required fields are included in the procedures in this use case.

Overview

Starting in Policy Enforcer Release 20.1R1, you can enable certificate-based authentication for the Policy Enforcer user.

The following topology shows Policy Enforcer configured in Junos Space Security Director. The user can configure certificate-based authentication mode and use certificates to gain access to the application.

Generate SSL certificates

Let’s learn how to generate a certification authority (CA) certificate, generate a client certificate and a private key for the SSL client, and then convert the client certificate and private key to Personal Information Exchange-pkcs#12 format for use by web browsers.

Generate a CA certificate

  1. Log in to the Linux server.
  2. Run the following command:

    openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.cer

  3. Enter the PEM passphrase, for example: 1234.

    You’ll need this passphrase while you generate client certificates.

  4. Enter the following details, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user

      The certificate is issued by this name.

    • Email Address: example@juniper.com

    The CA certificate is generated.

Generate Client SSL certificates

  1. Log in to the Linux server.
  2. Run the following command to generate a private key for the SSL client, for example: client1.key.

    openssl genrsa -out client1.key 4096

  3. Run the following command to generate the certificate request, for example: client1.req.

    openssl req -new -key client1.key -out client1.req

  4. Enter the following details for client1, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user1

      The certificate is issued by this name.

    • Email Address: example1@juniper.com

  5. Enter the challenge password, for example: 12345.
  6. Run the following command to issue the client certificate using the certificate request and the CA key, for example: client1.cer.

    openssl x509 -req -in client1.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client1 -days 365 -outform PEM -out client1.cer

  7. Enter the passphrase for the ca.key as 1234. This must be the same passphrase that you provided while creating the CA certificate in Step 3.
  8. Run the following command to convert the client certificate and private key to pkcs#12 format for use by web browsers, for example: client1.p12 (Personal Information Exchange file type).

    openssl pkcs12 -export -inkey client1.key -in client1.cer -out client1.p12

  9. Enter the export password, for example 123456.

    You’ll need this password to import the certificate to the web browser.

    The following certificates are generated:

    Similarly, generate client2.cer, client2.key, and client2.p12 certificates with the following details, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user2

      The certificate is issued by this name.

    • Email Address: example2@juniper.com

Note:

In this example, we will use the generated client1 certificates for the Junos Space user (user1) and client2 certificates for the Policy Enforcer user (pe_user).

Copy the Certificates from the Linux Server to Your Local Machine

  1. Log in to the WinSCP client to copy the certificates that you generated from the Linux server to your local machine.

    You can use any file transfer protocol client.

  2. Select the file protocol as SFTP.
  3. Enter the hostname of the Linux server, username, and password, and click Login.
  4. Select the certificate files that you generated in the Linux server, and copy the files to the preferred location on your local machine.

Upload the CA Certificate

Let’s upload the CA certificate or the root certificate to verify user certificates. The private key of the root certificate is used to sign the user certificates, which then inherits the trustworthiness of the root certificate.

To upload a CA certificate:

  1. Log in to Junos Space Network Management Platform.
  2. Select Administration > CA/CRL Certificates.

    The CA CRL Certificates page is displayed.

  3. Click the arrow next to the + icon, and select X.509 CA Certificate.

    The Upload X.509 CA Certificate File page is displayed.

  4. Browse the X.509 CA certificate file (for example: ca.cer) from your local machine that you generated in Generate SSL certificates.
  5. Click Upload.

    A success message is displayed after you upload the valid certificate. You can view the CA certificate details on the CA/CRL Certificates page.

Upload the User Certificate

Let’s upload user certificates to authenticate the Junos Space user by using certificate-based authentication. You need to upload the corresponding certificate for each user for the Junos Space server to authenticate the user. To create a user in Junos Space Network Management Platform, see Create Users in Junos Space Network Management Platform.

To upload the user certificate for an existing user, for example user1:

  1. Log in to Junos Space Network Management Platform.
  2. Select Role Based Access Control > User Accounts.

    The User Accounts page is displayed.

  3. Right-click the Junos Space user, for example: user1, and select Modify User.

    The Modify User page for user1 is displayed.

  4. In the X509 Cert File field, browse the X.509 certificate file (for example: client1.cer) from your local machine that you generated in Generate SSL certificates.
  5. Click Upload.

    A success message is displayed.

Upload X.509 Certificate File in Policy Enforcer

After you configure Policy Enforcer, a new user called pe_user is created. You must add X.509 certificate for the pe_user for seamless certificate-based authentication. Policy Enforcer authenticates with Junos Space Security Director and Junos Space Network Management Platform using certificates in the certificate-based authentication mode.

  1. Log in to Junos Space Security Director.
  2. Select Administration > Policy Enforcer > Settings.

    The Settings page is displayed.

  3. Enable Certificate Based Authentication.

    This provides seamless operation when Junos Space Network Management Platform user switches to certificate-based authentication mode.

  4. Browse the X509 certificate file, for example: client2.cer, and X509 certificate key file, for example: client2.key that you generated in Generate SSL certificates.
  5. Click OK.

After uploading the certificates on the Settings Page, navigate to Junos Space Network Management Platform, select User > Role Based Access control > User Accounts. Right-click the pe_user, and select Modify User. Here, you can view the certificate details uploaded for the pe_user.

Configure the Web Browser Settings

You must import the Personal Information Exchange-pkcs#12 file type certificate uploaded to the Junos Space user (user1) on all the supported web browser settings page. In this example, let’s upload the client1.p12 on Google Chrome to enable certificate-based authentication.

  1. Open the Google Chrome web browser.
    Note:

    You can use any supported web browser.

  2. Click on the ellipsis icon on the top-right corner of the web browser, and select Settings.
  3. Select Security and Privacy.

    The Security and Privacy page is displayed.

  4. Select Security.

    The Security page is displayed.

  5. Select Manage Certificates.

    The Certificates page is displayed.

  6. Click Import.

    The Certificate Import Wizard is displayed.

  7. Browse the personal information file type, for example: client1.p12.

    You must select the personal information file type of the same certificate that you selected for the Junos Space Network Management Platform user (user1) as in Upload the User Certificate.

  8. Click Next.
  9. Enter the password for the private key as 123456. You must use the same password that you provided in Step 9 while creating the client1 certificates.
  10. Browse the location to store the certificate.

    A summary of certificate details is displayed.

  11. Click Finish.

    A pop-up is displayed confirming the import of new private exchange key.

  12. Click OK.

    A success message is displayed and the certificate is added to your web browser settings.

Change the User Authentication Mode to Certificate-Based Authentication Mode

Now let’s change the authentication mode from password-based to complete certificate–based for users to get authenticated on the basis of their certificates.

  1. Log in to Junos Space Network Management Platform.
  2. Select Administration > Application.
  3. Right-click Network Management Platform, and select Modify Application Settings.

    The Modify Network Management Platform Settings page is displayed.

  4. Select User.

    The User page is displayed.

  5. Select the Use X509 Certificate Complete Certificate option as the authentication mode.

    The Change Summary page is displayed.

  6. Click Confirm to enable the certificate-based authentication.

    When you change the authentication mode, all existing user sessions, except that of the current administrator who is changing the authentication mode, are automatically terminated and the users are forced to log out.

Verify the Certificate-Based Authentication Mode

Purpose

Let’s verify that you can log in to Junos Space Network Management Platform using certificates.

Action

  1. Access the Junos Space Network Management Platform application.

    The following pop-up is displayed.

  2. Click OK.

    The Security Page is displayed.

  3. Click Allow.

    The user1 is logged in to the Junos Space Network Management application without providing any username and password.

Troubleshoot Authentication Issues

Problem

Description

You must follow all the steps in the previous sections to enable certificate-based authentication. However, if you are restricted from logging in by using certificate–based authentication mode, then you can change the authentication mode to password-based from the CLI.

Solution

To change the authentication mode to password-based authentication from the CLI:

  1. Log in to the CLI of the Junos Space server VIP node.

  2. Navigate to the following directory: /var/www/cgi-bin.

  3. Type the following command:

    ./setSpaceAuthMode password-based

    The authentication mode is changed to password-based, and you can login with the username and password.

arrow_backward PREVIOUS Policy Enforcer Backup and Restore
NEXT arrow_forward Using Guided Setup for Juniper ATP Cloud with Juniper Connected Security
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top