Applying SSL cert to EX4300 - not a PEM format

‎08-23-2019 07:58 AM



At our organization we have several remote EX4300's and EX4200's (which are in the process of being migrated to all EX4300's very soon). I was attempting to follow this KB to apply an SSL certificate for these devices:



We are attempting to use an internal CA to generate certificates for these switches, but unfortunately the CA we have does not support a .PEM due to the CA not being able to provide the private key (the option to export this is grayed out). The team that administers the CA has informed me that they can provide .PFX and .CRT, but I cannot find any documentation about how to apply these types of SSL certificates to the switch - I can only find documentation for self-signed certificates and .PEM.


You will have to forgive me because I am not particulary well-versed in certificate creation and implementation, but I was wondering if anyone would be able to point me in the right direction to use a different format than .PEM or self-signed in a similar fashion to the knowledge base article I have linked above. If I am leaving out any pertinent information for this question, please let me know so that I can provide it by engaging the team that manages the CA.


This is my first post in this community so please forgive me if I have posted it to the wrong forum - I will happily post it somewhere else if this question is suited for a better location. I have been working on this issue for quite some time and I have not been able to get any traction.





Re: Applying SSL cert to EX4300 - not a PEM format

[ Edited ]
‎08-23-2019 09:43 AM

Hey GT21,


Welcome to J-Net Community!!!


From the following technical documentation(https://www.juniper.net/documentation/en_US/release-independent/nce/topics/reference/general/pki-exa...), Junos supported certificate formats are X.509 or PKCS7, DER or PEM.


Excerpt from the above document:


Which certificate formats does Junos OS support?

Junos OS follows the PKI profile described in RFC 3280 and supports:

  • Installation of end-entity (EE) or CA certificate

  • Encode, including the X.509 or PKCS7, DER or PEM

  • Compatibility with X.509 v3 and handling of extensions defined in RFC3280.

Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!