Junos
Reply
Visitor
ewitkop
Posts: 3
Registered: ‎01-26-2009
0

Turning on SSL on J2320

Hi,

 

I am trying to turn on SSL on the web configuration portal. I created an openssl private and public key. I then pasted both of them into the SSL section of the administrative portal and then selected my new certificate in the SSL section. The JUNOS seems to accept it. Yet it does not listen on 443.

 

  • What size key should I use, e.g 1024, 2048, etc??
  • Do I paste in both public and private?
  • Do I include the header and footer, e.g.  -----BEGIN CERTIFICATE-----


I have followed the instructions and it simply doesn't work.

Juniper Employee
Juniper Employee
MR
Posts: 26
Registered: ‎11-06-2007
0

Re: Turning on SSL on J2320

Are you using JUNOS with enhanced services? Can you also add your configuration here for checking?

 

Thanks

Visitor
ewitkop
Posts: 3
Registered: ‎01-26-2009
0

Re: Turning on SSL on J2320

 How can I tell if I have an enhanced image? This is my config below. It is from a test lab, so nothing is production.

 

erik@ewitkop-test-j# show

## Last changed: 2009-01-27 04:39:14 UTC version 8.4R1.13;

system { host-name ewitkop-test-j;

domain-name root; root-authentication { encrypted-password "$1$g1Mjp4WE$5FqrM7lzFYDMHBET5CkMi0"; ## SECRET-DATA }

login { user erik { uid 2000; class super-user; authentication { encrypted-password "$1$omsbXiVZ$EPQGxlbnw.9o3PExMdI5O/"; ## SECRET-DATA } } } services { ssh; web-management { http { interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ]; } https { port 443; local-certificate test; } } } syslog { user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.1/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } } routing-options { static { route 5.5.5.0/24 next-hop 192.168.1.22; route 6.6.6.0/24 next-hop 1.1.1.1; } } class-of-service { classifiers { dscp voip { forwarding-class expedited-forwarding { loss-priority low code-points ef; } } } } security { certificates { local { erik { "-----BEGIN CERTIFICATE-----\nMIIESzCCAzOgAwIBAgIJALR04Y5dlr44MA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJNQTEPMA0GA1UEBxMGQm9zdG9uMQ0wCwYDVQQKEwRU\nZXN0MRcwFQYDVQQDEw5qdW5pcGVyLXJvdXRlcjEhMB8GCSqGSIb3DQEJARYSZXdp\ndGtvcEBjcHRlY2guY29tMB4XDTA5MDEyNjE5MjU0M1oXDTA5MDIyNTE5MjU0M1ow\ndjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ8wDQYDVQQHEwZCb3N0b24xDTAL\nBgNVBAoTBFRlc3QxFzAVBgNVBAMTDmp1bmlwZXItcm91dGVyMSEwHwYJKoZIhvcN\nAQkBFhJld2l0a29wQGNwdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQCh3c5TRs2ISEOxg4V5Us3EyYQaVyPCL2PT9pogpRpFDUVjn3IrVAIN\nvj5Ah7bksDGTs83AnRBvywGBlci5Tb7pSCSagXh78HmidU4AlJa5u5wjIdD3sZmU\nGb6UPz6yCrlUfVj39cVTrRzNPBanV8T2S3b0jnbAqjY9xE+K8l6KwxJeIKgOhu++\nBNfbq5YWG7svroTTli0ze94XF1HjEBMFETRqlD39DaNhYYzyPENgvN6TKmi3WgFV\nBIuKEe4afF8G7T8xjMxeiJXBv0sWp9nozATpXApAVWq5JbrOPJYbtr+5zK6EWyZv\nOyVAPuRePgd/O7fXpTfuid6pyPrE8jrPAgMBAAGjgdswgdgwHQYDVR0OBBYEFKN9\nvihEPo2JzhBl1Ftv9g1qey/oMIGoBgNVHSMEgaAwgZ2AFKN9vihEPo2JzhBl1Ftv\n9g1qey/ooXqkeDB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcT\nBkJvc3RvbjENMAsGA1UEChMEVGVzdDEXMBUGA1UEAxMOanVuaXBlci1yb3V0ZXIx\nITAfBgkqhkiG9w0BCQEWEmV3aXRrb3BAY3B0ZWNoLmNvbYIJALR04Y5dlr44MAwG\nA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAH4DA3C+k1kNPkdCk/qvNiAR\n0inWmsRscxhN/iAel3DAKndhYeFieUyp+WpAj5i1D+DPHK8ybSUiUBsjSvfMduti\n9YxStZ7JB7nSoPrI5y2/xHd4HNniZyhv9+R27CCY3Zxpoe2/FJj8IOQhb9AKR2eE\nfkqGZVaEIWUonyktvrx5HnZXICMG0x+IFT72C/LEKQ0W0/L4PTFG4P6HAZ1yWvoK\nMSL8U0kb8K86AiczHbIN+meQcXPjXM9HgbDpxUoUGmEBOlfh/W58cqhlyMcZTJKU\nBTLT+1NG4NEvcpix0ws4RhsJrsDbFXgbhfjMus5IBu9GcO7p7GXjw7uU1l8FPRQ=\n-----END CERTIFICATE-----\n"; ## SECRET-DATA } test { "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAod3OU0bNiEhDsYOFeVLNxMmEGlcjwi9j0/aaIKUaRQ1FY59y\nK1QCDb4+QIe25LAxk7PNwJ0Qb8sBgZXIuU2+6UgkmoF4e/B5onVOAJSWubucIyHQ\n97GZlBm+lD8+sgq5VH1Y9/XFU60czTwWp1fE9kt29I52wKo2PcRPivJeisMSXiCo\nDobvvgTX26uWFhu7L66E05YtM3veFxdR4xATBRE0apQ9/Q2jYWGM8jxDYLzekypo\nt1oBVQSLihHuGnxfBu0/MYzMXoiVwb9LFqfZ6MwE6VwKQFVquSW6zjyWG7a/ucyu\nhFsmbzslQD7kXj4Hfzu316U37oneqcj6xPI6zwIDAQABAoIBAEDeOwl0nnm3PCmv\no5XzcTMj7yT/Nv1jMIaJlUrv3488ukoqY/6pNAl97ETAHrOXSMcAj7xZNXUXzgq4\nlDBuz8t9de3VZQuGW7iXeiMRaTYV0YTi0HPzYLDRgGa40c9YLN2HPlhgziuyfJBj\nPFDkA7MQmyN21HBxxjsKqTXt26WP1Cbur4p76uAa8YdzfmNE0mF778lcnIBCvnAr\n47VDiBgY4gP1Fj+pJ1Z0P2rLXreEcE98ykObmpwEBSktRugDotCI6JSK5kBLkZWE\nx1DO5dMJnOyvVglhuEZGcAcNJsnfZyQ2I1BKitOMwcDatr08Cz16tKyvPVxfo9vj\nrNPf9oECgYEA151Sqqv0A/+4RI4uSJhXmsnf1pUAg1UQ+zZSJFnMVChJk33CzlLL\nUQw7ZDr+yX/0HNmvzgf4/MJJ0XZIuloAAp4cl2FYiTQZvj8GrC3JHdCSmYNuKssW\nErOOLk9U47ptqlLDwveSmVNvQ9nsPRJrErXuzKKqrinYv6y0tt4kDmkCgYEAwC9F\nY15AXlS9KK8lcXNxGnznsvMPQFFdGM9byuIqlaeq6Y2J1NVi7QsxBMcK2p6038ka\nSPX4J9KbNmaTAct0sQ1jodV5AuGVlAyt5AVtXmzB4WUHqCo8SVy0kq4v2NUZgelw\njonDX9KAbLDTZfOautWQHUZAYtKF61VGtazSSHcCgYAqOuIKE4vDjL5mjwJ5rXzb\nEFcLDDwBfRPKYCVOgVgH06w1exhAmO7BfQfU5ckpZipFzE0mqWEXAGa849HyzdXa\nrWUkMSjKFq5EGMwRxRXzBPrxnlBhiU1VdF2QrHEP+V+pUHSPJzZLWZAdVf1zKLxX\n+dI/ukx7uC5/vC/Y8UFWoQKBgEGSn3FFIl9NOHFeOT9ZbTjlb0Tui8CdQk+JyL8T\npgYD/FvN8D5PRH6ut93yb/CiAALvIenNCwvDXzQTkYsmOT2D3P/Fz5E9GQU3wkkv\n1N5H62sVRqSJLKK3X+FAT5EDPL3HwaDQvnm+YBU1zBtYH+4pmg9y/dr6C7l9EjBA\ntEsHAoGAGJ0/2cb1BkKRFb2Qgw8IuD3GNMUzYTarAuf9eBowB4B/K5GVwVgNPeGm\nHMFNMw82jBBbBSlAdlVZGGCiUerbqV06T5jUolutbyMomYHqhjRDmQZmnbEq8y0Y\nPz1pLzcyH/Ny1qI/9V8huCxyziB2mqMQaULn0INZ3EUlhm/gvcw=\n-----END RSA PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIESzCCAzOgAwIBAgIJALR04Y5dlr44MA0GCSqGSIb3DQEBBQUAMHYxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJNQTEPMA0GA1UEBxMGQm9zdG9uMQ0wCwYDVQQKEwRU\nZXN0MRcwFQYDVQQDEw5qdW5pcGVyLXJvdXRlcjEhMB8GCSqGSIb3DQEJARYSZXdp\ndGtvcEBjcHRlY2guY29tMB4XDTA5MDEyNjE5MjU0M1oXDTA5MDIyNTE5MjU0M1ow\ndjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ8wDQYDVQQHEwZCb3N0b24xDTAL\nBgNVBAoTBFRlc3QxFzAVBgNVBAMTDmp1bmlwZXItcm91dGVyMSEwHwYJKoZIhvcN\nAQkBFhJld2l0a29wQGNwdGVjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQCh3c5TRs2ISEOxg4V5Us3EyYQaVyPCL2PT9pogpRpFDUVjn3IrVAIN\nvj5Ah7bksDGTs83AnRBvywGBlci5Tb7pSCSagXh78HmidU4AlJa5u5wjIdD3sZmU\nGb6UPz6yCrlUfVj39cVTrRzNPBanV8T2S3b0jnbAqjY9xE+K8l6KwxJeIKgOhu++\nBNfbq5YWG7svroTTli0ze94XF1HjEBMFETRqlD39DaNhYYzyPENgvN6TKmi3WgFV\nBIuKEe4afF8G7T8xjMxeiJXBv0sWp9nozATpXApAVWq5JbrOPJYbtr+5zK6EWyZv\nOyVAPuRePgd/O7fXpTfuid6pyPrE8jrPAgMBAAGjgdswgdgwHQYDVR0OBBYEFKN9\nvihEPo2JzhBl1Ftv9g1qey/oMIGoBgNVHSMEgaAwgZ2AFKN9vihEPo2JzhBl1Ftv\n9g1qey/ooXqkeDB2MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcT\nBkJvc3RvbjENMAsGA1UEChMEVGVzdDEXMBUGA1UEAxMOanVuaXBlci1yb3V0ZXIx\nITAfBgkqhkiG9w0BCQEWEmV3aXRrb3BAY3B0ZWNoLmNvbYIJALR04Y5dlr44MAwG\nA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAH4DA3C+k1kNPkdCk/qvNiAR\n0inWmsRscxhN/iAel3DAKndhYeFieUyp+WpAj5i1D+DPHK8ybSUiUBsjSvfMduti\n9YxStZ7JB7nSoPrI5y2/xHd4HNniZyhv9+R27CCY3Zxpoe2/FJj8IOQhb9AKR2eE\nfkqGZVaEIWUonyktvrx5HnZXICMG0x+IFT72C/LEKQ0W0/L4PTFG4P6HAZ1yWvoK\nMSL8U0kb8K86AiczHbIN+meQcXPjXM9HgbDpxUoUGmEBOlfh/W58cqhlyMcZTJKU\nBTLT+1NG4NEvcpix0ws4RhsJrsDbFXgbhfjMus5IBu9GcO7p7GXjw7uU1l8FPRQ=\n-----END CERTIFICATE-----\n"; ## SECRET-DATA } } } pki; } [edit]

Juniper Employee
Juniper Employee
MR
Posts: 26
Registered: ‎11-06-2007
0

Re: Turning on SSL on J2320

You can do a show version to check if you are running JUNOS with enhanced services. Junos with enhanced services is only available from 8.5 onwards, since you are running 8.4 you are using regular JUNOS.

 

You do not need to copy the header and footer for the certificate. Also you do not need to copy the public key. 

 

Can you install the cert without the header and footer and try again. Also try to reboot the router after the cert is installed. 

 

Do you want to use 8.4r1.13, I would suggest  to upgrade to the latest 8.5r4.

Visitor
ewitkop
Posts: 3
Registered: ‎01-26-2009
0

Re: Turning on SSL on J2320

DOH!

 

So I tried to upgrade my J2320 to 8.5 and 9.0 and each time I got the same error:

 

root@ewitkop-test-j> request system software add validate unlink no-copy ju...
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_8_4_0
Using /cf/var/tmp/junos-jsr-8.5R3.4-domestic.tgz
Checking junos requirements on /
Available space: 112948 require: 64293
mv: rename /cf/sbin/preinit to /cf/sbin/preinit.bak: No such file or directory
Verified manifest signed by PackageProduction_8_5_0
mtree: line 101: unknown user bind
mtree: line 101: unknown user bind
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Network security daemon: [edit groups junos-defaults applications]
Network security daemon:   'application junos-icmp-all'
Network security daemon:     Unsupported application protocol id.
Network security daemon: [edit groups junos-defaults applications]
Network security daemon:   'application'
Network security daemon:     Error processing application object
mgd: error: configuration check-out failed
Validation failed
WARNING: Current configuration not compatible with /cf/var/tmp/junos-jsr-8.5R3.4-domestic.tgz

root@ewitkop-test-j> 

 

 

Accordinging to the release notes, it all has to be done via the console which I did. 

 

Do I have to run validate?

 

Is there some hardware that 8.5 does not like?

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: Turning on SSL on J2320

Junos-jsr image is JUNOS with enhanced services. To migrate from JUNOS to JUNOS with enhanced services, you need to follow the Migration Guide which is downloadable from Juniper support website. Also upgrade from packet-based JUNOS to JUNOS with enhanced services requires the no-validate option when performing the 'request system software add' function. Check out the two Knowledgebase articles for some details.

 

KB10317

KB10561

 

Note that beginning with JUNOS with enhanced services version 9.1, you can use system-generated self-signed cert for https management. Once upgraded to juno-jsr image, then set the below configuration to enable the system-generated cert.

 

Example:

set system services web-management https system-generated-certificate

 

-Richard

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.