SRX

Hi All

I am to load the device certificate on SRX so that it should not show the warning message. In order to generate the device certificate for SSL VPN/ IC, my experience is to create the certificate request (CSR) from the device and then give it to CA to signed it and generate the device certificate and we upload to the device.

In case of SRX, how to generate the certificate request or there is some other procedure?

Thanks

I believe I wrote up a howto for this (at least generating a certificate and installing it on an SRX).  You can find it here:  http://forums.juniper.net/t5/SRX-Services-Gateway/Root-CA-OpenSSL-SRX240/m-p/28938/highlight/true#M1041

You should be able to use this certificate for a purpose other than WebUI (which is what I wrote it for.)

At least it will show you how to generate/sign a certificate for your device, even if it doesn't show how to configure vpn to use it for auth.

Hope this helps.

Thanks Dear. Just last thing. In your post:

user@srx240-01# set security pki ca-profile dc01 ca-identity MyCA revocation-check disable crl disable on-download-failure

What is the purpose of above command and also ca-identitiy is what? It should match to CA root certificate name?

Thanks

I believe (its been a while) that this means to use the CA represented by MyCA and not not check the revocation status of the CA, and also to not disable the CA if the CRL (the revocation list specified in the certificate) cannot be downloaded.

The ca-identity, well, I don't recall if the CA root certificate name has to be used for the ca-identify, but the ca-identity does represent the root CA certificate.

Again, its been ?2? years.  and is only used if you use the WebUI, or vpns.   Also, I haven't had to set one up since I did the one in my example...

Sorry.