SRX Services Gateway
SRX Services Gateway

SSL Certificate(s) for J-Web Access

‎07-04-2019 03:08 AM

I would like to rid myself of the pesky browser warnings about insecure HTTPS access to J-Web on my SRX devices. How can this be achieved with the minimum amount of administrative effort? It is not a problem if there is some cost involved in obtaining the certificates from an appropriate authority, but as access is only required via the internal network I'm guessing the solution is some kind of self-signed effort combined with some browser tweaking.

8 REPLIES 8
SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 03:56 AM

Hi,

 

This is expected with the system-generated certificate when used for the HTTPS access. You need a local certificate which is trusted and signed.

 

I understand that you access the device internally in which case this might help. By generating your own SSL certificate.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15201

 

https://www.redelijkheid.com/blog/2011/3/11/configure-ssl-certificate-for-juniper-j-web-interface.ht...

 

Let me know the results.

 

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 04:07 AM

Thank you for your reply.

 

I have seen both articles in my prior search. The first requires a Linux server, which I do not have access to, and the second must be out-of-date (2011) or contain error(s) in the instructions, as I tried to follow them, but a required option is greyed out.

SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 04:16 AM

Are you running an internal Certificate Authority in your. server infrastructure?

Since you don't have Linux servers are your running Windows so may have the CA role enabled along with Active Directory?

 

If you have a CA, on the Junos device make a cerfiticate request.

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-...

 

Then submit this on the Microsoft web interface for your CA role server.  The server will issue the certificate with the requests url and parameters.  Setup the DNS name that matches on your internal DNS servers.  

 

And then load the certificate on the Junos .

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

[ Edited ]
‎07-04-2019 05:59 AM

Thank you for your considered and detailed response Steve.

 

I don't currently have access to a CA, but will do in the near future. So unless there's an easy way to do it without one, I will hold off. However, I do have one question: will I need to distribute the certificates to clients via Group Policy so any client can access J-Web without being troubled by warning message?

SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 06:21 AM
Yes, CA certificate can be distributed to clients via Group Policy if you have lots of clients.
BTW, where you stuck while trying with XCA tool?
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 07:32 AM

Thank you for your contribution Nellikka.

 

RE: XCA. On the Source tab of 'Create X509 Certificate', I am unable to select 'Use this certificate for signing' as shown in the screenshot, but I'm guessing the instructions are geared towards a different scenario.

SRX Services Gateway

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 07:58 AM

I think you did not create root ceritificate first. Please follow this url to create root certificate and then follow previous links:

https://campus.barracuda.com/product/campus/doc/28475773/how-to-create-certificates-with-xca/

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway
Solution
Accepted by topic author EMTSU
‎07-10-2019 12:54 AM

Re: SSL Certificate(s) for J-Web Access

‎07-04-2019 08:40 AM

when you create a Microsoft Active Directory with a CA. 

then join computers to the domain.

These computers will have the CA as a trusted authority installed on them.

So all the certificates you issue from that CA will be trusted then by these computers and no longer generate that error message in the browser.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home