Local certificate generation and HTTPS Configuration
This article will help you with the method of generating an SSL certificate, local certificate and ‘HTTPS’ configuration.
Problem 1:
---------------- When customer tries to configure the 'https' service , he may encounter an error regarding a local certificate. {MASTER.EN_US}[edit] mx480# set system services web-management https {MASTER.EN_US}[edit] mx480# commit check re0: [edit system services web-management] 'https' Missing mandatory statement: 'local-certificate' >>>>>>>>>>>>>>>>> error: configuration check-out failed: (missing statements) ------------------------------------------------------------------------------------------------------
Problem 2:
---------------- The 'https' and 'http' options are not available under 'system services' . mx480# set system services ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > database-replication Database replication configuration > dhcp-local-server Dynamic Host Configuration Protocol server configuration > finger Allow finger requests from remote systems > flow-tap-dtcp Configure DTCP-based Flow-tap service > ftp Allow FTP file transfers > local-policy-decision-function Configuration for Local Policy Decision Function service > netconf Allow NETCONF connections > outbound-ssh Initiate outbound SSH connection > packet-triggered-subscribers Packet Triggered Subscribers configuration > service-deployment Configuration for Service Deployment (SDXD) management application > ssh Allow ssh access > static-subscribers Static Subscriber Client configuration > subscriber-management Subscriber management configuration > subscriber-management-helper Subscriber management helper configuration > telnet Allow telnet login > xnm-clear-text Allow clear text-based JUNOScript connections > xnm-ssl Allow SSL-based JUNOScript connections | Pipe through a command
Cause 1:
A local certificate – X.509 has to be generated on the router before configuring ‘https’
Cause 2:
Web Management package has to be included in the current Junos installed on the router.
Step 1:
Make sure that the currently installed Junos version has the web-management package.
mx480> show version . . JUNOS Web Management [11.4R7.5] . . -------
Step 2:
Generate an SSL certificate on a Unix/Linux environment:
bash> openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert1.pem -out cert1.pem >>>>>>>>>>>>>>>> Here, the cert1 is user-defined name and you could define any file with .pem extension -------------------
Step 3:
You will be asked to enter a few information such as your country, organization name and section and e-mail-id.
Step 4:
Once you complete this, please check whether a file is created:
-------------------- > ls -l cert1.pem -rw-r--r-- 1 rohinin others 2168 Jan 15 05:19 cert1.pem >>>>>>>>>>>>>>>>>>>> SSL certificate created successfully ----------------------
Step 5 :
Display the contents of the file and make sure that you have Begin RSA private key,End RSA private key, Begin certificate and End certificate.
------------------------- > more cert1.pem -----BEGIN RSA PRIVATE KEY-----.......... ----------------------------
Step 6:
Now you could copy this file to your local router via FTP and save it in /var/tmp location
------------------------------------ mx480> start shell % ls /var/tmp cert1.pem >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> install pfed.core-tarball.0.tgz rtsdb gcore.chassisd.0 jbundle-10.0S9-domestic.tgz pics sampled.pkts ---------------------------------
Step 7:
Then a local certificate should be generated on the router
---------------------------------- mx480# set security certificates local loc-cert load-key-file /var/tmp/cert1.pem >>>>>>>>>>>>> loc-cert is a user-defined certificate name that should be used when configuring https. So you could define your own filename [edit] mx480# commit commit complete -------------------------------------
Step 8:
To configure https:
mx480>edit mx480#set system services web-management HTTPS local-certificate loc-cert interface <interface name> port <port #> mx80# commit commit complete