Multiple Certificates and Domains Configuration (CLI Procedure)
Overview
In this configuration, you create multiple certificates with multiple domain names on the SRX Series Firewall.
Before you begin, as an administrator -
-
Complete the basic setup of the SRX Series Firewall.
-
Identify the domain names to be associated with Juniper Secure Connect. These are mapped to the Juniper Secure Connect Connection profiles which are URLs in FQDN or FQDN/RealmName format. See Table 1, for the sample domain names and certificates used in this configuration.
-
In case you need to map multiple domain names to a single certificate, ensure to generate the certificate externally. If you have a Let’s Encrypt certificate, ensure it is generated using Let’s Encrypt server. See ACME Protocol.
|
Domain Name |
Certificate |
|---|---|
|
srx.example.com |
internal |
| gateway.example.com |
external |
| gateway1.example.com |
letsencrypt |
| gateway2.example.com |
letsencrypt |
Configure the gateway certificates for the domain names mentioned in the URLs on your SRX Series Firewall using the configuration statements.
Configure Multiple Certificates and Domains
To configure multiple certificates and multiple domains using the command line interface:
-
Log in to your SRX Series Firewall using the command line interface (CLI).
-
If you need an self-signed certificate, generate a public key infrastructure (PKI) public/private key pair for a local digital certificate in the SRX Series Firewall.
user@host> request security pki generate-key-pair size 2048 type rsa certificate-id internal user@host> request security pki generate-key-pair size 2048 type rsa certificate-id external
-
Manually generate and load self-signed certificate(s). You can also load an externally generated CA signed certificate.
user@host> request security pki local-certificate generate-self-signed certificate-id internal subject DC=example.com CN=srx domain-name srx.example.com user@host> request security pki local-certificate generate-self-signed certificate-id external subject DC=example.com CN=gateway domain-name gateway.example.com
-
Enter the configuration mode.
-
Configure multiple domains using
virtual-domainoption and associate them with the corresponding certificate. Ensure to generate the certificate externally. If you have a Let’s Encrypt certificate, see ACME Protocol.user@host# set system services web-management https virtual-domain srx.example.com pki-local-certificate internal user@host# set system services web-management https virtual-domain gateway.example.com pki-local-certificate external
-
Configure a certificate with multiple domain-names. Ensure you generated these certificates separately. See ACME Protocol.
user@host# set system services web-management https virtual-domain gateway1.example.com pki-local-certificate letsencrypt user@host# set system services web-management https virtual-domain gateway2.example.com pki-local-certificate letsencrypt
-
When you are done configuring the feature on your device, enter commit from configuration mode.
Your end users can now use the corresponding certificates to initiate a connection. This ensures that when the Juniper Secure Connect application initiates a connection, server side certificate is validated and trusted if that corresponding certificate is loaded in the Juniper Secure Connect client.