SRX

Hi, I am having trouble installing a self-signed certificate to use for HTTPS access.  I am using Junos 11.2r3 on an SRX 210, and I am following this KnowledgeBase article (Method #2), but I think it is missing a step:

How to: Auto-generate Self-signed Certificate in JUNOS with Enhanced Services

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11611&smlogin=true

When I go to commit I get the following error:

[edit system services web-management https local-certificate]
  'local-certificate pl-cert-01'
    certificate must be configured under 'security certificates local'
error: commit failed: (statements constraint check failed)

I have attempted to look for any information about this command (security certificates local) but can't find any.  It is there in Junos 11.2, but not in the Security CLI Reference or anything else I can find online.  The KB article has you create the self-signed cert in one step and then set the https server to use it.  The commit error complains that it isn't loaded or recognized in the security settings as a cert.

I can do 'show security pki local-certificate' and see my certificate, and it had not problem when I set it to be used for the HTTPS connection (it's certificate ID was recognized).

The 'set security certificates local ?' gives these options:

Possible completions:
  <certificate>        Certificate and private key string
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  load-key-file        File (URL) containing an SSL certificate and private key in PEM format

I tried to paste in the content of the output from 'show security pki local-certificate detail', but that didn't seem to work.  I know that they want me to configure the certificate in the security settings first, but I can't seem to figure out how, and I can't seem to be able to find the right search terms to find it on my own.

Any help would be appreciated.

Hi Andrew,

That article is a little bit out of date - you need to specify pki-local-certificate instead of local-certificate under the https configuration:

bdale@srx210> request security pki generate-key-pair size 2048 certificate-id MYCERT
Generated key pair MYCERT, key size 2048 bit

bdale@srx210> request security pki local-certificate generate-self-signed certificate-id MYCERT domain-name mydomain.com email me@mydomain.com ip-address 172.16.10.254 subject DC=com,CN=mydomain,OU=IT,O=MyDomain,L=Australia,ST=QLD,C=Australia 
Self-signed certificate generated and loaded successfully

[edit]
bdale@srx210# set system services web-management https pki-local-certificate MYCERT

 Hope this helps

Thanks for your help dfex, that fixed my problem.  After issuing the 'set system services web-management https pki-local-certificate MYCERT' I was able to use the certificate for my HTTPS management access.

Thanks again, I truly appreciate it.

Actually, I just wanted to ask this real fast because I have to know.  In the input for the command to generate the self-signed certificate, in the subject one of the fields is DC=<Domain Component>.  This isn't in the documentation and I can't find anything online about it.  I guess it is non-standard or something.  All of the other fields like CN (Common Name) and OU (Organizational Unit) are standard and I recognize those, but DC was a curve-ball to me.

In the 11.2 CLI Reference it doesn't list DC, just the other's, and I couldn't find anything in the Release Notes.  In your example you used 'com', but I would like to know more about this and what it specifically does or is asking for.

Thanks

I kind of jumped the gun a little early on that last question.  It seems there is a little bit of information that I was able to find on the DC field in SSL certs.

I eventually ended up reading RFC 2377 "Naming Plan for Internet Directory-Enabled Applications"

http://www.ietf.org/rfc/rfc2377.txt

It seems that the DC field is not standard as far as I can tell, but is there for applications that can make use of it to provide a DNS like directory.  What I did figure out is that if the address for your organization is test-domain.com, then the correct values would be DC=test-domain,DC=com

If anyone knows of a more-straightforward and up-to-date place for information on the DC (Domain Component) field, please let me know.

DC is the domain component (everything except for the hostname) in the format DC=xxxx,DC=yyyy, etc.

so srx240.norcross.atlanta.company.local

would be

DC=norcross,DC=atlanta,DC=company,DC=local

There is another tag (that I forget) that replaces DC=xx,DC=yy with ??=xx.yy   but I forget what it is.   both may be valid.

Thanks Andrew and dfex for bringing this up.

We have updated the KB to make it correct for the current versions of Junos.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11611

Kind regards,

Casper

Just noticed a strange bug in j-web after doing this.  When you are in Configure -> System Properties -> Management Access and use Edit, if you go to the Services tab, you are unable to click 'OK' because it complains that you need to set a certificate for HTTPs access.  The issue is that in the web GUI to enable HTTPs there is a dropdown to choose a cert, but the only available option is system-generated-certifcate (which is the default one, not my self-signed cert), so I just leave that blank (the server is still using my cert)

I was messing around in that tab and just noticed it.