SRX Services Gateway
Highlighted
SRX Services Gateway

How do I regenerate system-generated-certificate on SRX240 cluster without reboot

‎10-18-2011 05:04 PM

I need to remove my externally created ssl certificate from the web-management and go back to a self generated cert.   I've pulled the old cert out of the configs and the new ones look like this 

 

set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set system services web-management https interface reth3.0
set system services web-management https interface reth2.0

 

The other related configs haven't changed, ie :

 

set security zones security-zone prod interfaces reth3.0

set security zones security-zone prod host-inbound-traffic system-services ping
set security zones security-zone prod host-inbound-traffic system-services ssh
set security zones security-zone prod host-inbound-traffic system-services https
set security zones security-zone prod host-inbound-traffic system-services traceroute
set security zones security-zone prod host-inbound-traffic system-services snmp

 

I can't get into the web console.  Using openssl s_client I see that the old cert info is stil in use.

 

I've tried to disable web-management and take https out of the host-inbound-traffic on all of the involved involved interfaces, commited, then added it back in, but the old cert still shows up when I use s_client.

 

I found KB11611  but do not want to reboot.

 

This is on a SRX240 cluster running 10.4R3.4

 

 

Any help would be appreciated. I don't want to bug JTAC for this just yet.

 

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: How do I regenerate system-generated-certificate on SRX240 cluster without reboot

‎10-18-2011 11:38 PM

I would play around with

"request security pki local-certificate..."

Highlighted
SRX Services Gateway

Re: How do I regenerate system-generated-certificate on SRX240 cluster without reboot

‎11-19-2013 04:19 AM

Hi ,

I hope you have resolved this issue. this update for the wider audience.

 

if you have any issues with system generated certificates , you can regenerate it without rebooting the SRX.

 

Use the following operational command to delete the automatically generated self-signed certificate:

 

user@host# clear security pki local-certificate system-generated
 

After you delete the system-generated self-signed certificate, the device automatically generates a new one and saves it in the file system.

 

Regards,

rparthi

Feedback