SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SSL Certificate(s) for J-Web Access

     
    Posted 07-04-2019 03:08

    I would like to rid myself of the pesky browser warnings about insecure HTTPS access to J-Web on my SRX devices. How can this be achieved with the minimum amount of administrative effort? It is not a problem if there is some cost involved in obtaining the certificates from an appropriate authority, but as access is only required via the internal network I'm guessing the solution is some kind of self-signed effort combined with some browser tweaking.


    #ssl
    #https
    #j-web


  • 2.  RE: SSL Certificate(s) for J-Web Access

     
    Posted 07-04-2019 03:56

    Hi,

     

    This is expected with the system-generated certificate when used for the HTTPS access. You need a local certificate which is trusted and signed.

     

    I understand that you access the device internally in which case this might help. By generating your own SSL certificate.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB15201

     

    https://www.redelijkheid.com/blog/2011/3/11/configure-ssl-certificate-for-juniper-j-web-interface.html

     

    Let me know the results.

     

    Thanks,
    Pradeep
    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     



  • 3.  RE: SSL Certificate(s) for J-Web Access

     
    Posted 07-04-2019 04:08

    Thank you for your reply.

     

    I have seen both articles in my prior search. The first requires a Linux server, which I do not have access to, and the second must be out-of-date (2011) or contain error(s) in the instructions, as I tried to follow them, but a required option is greyed out.



  • 4.  RE: SSL Certificate(s) for J-Web Access

    Posted 07-04-2019 04:17

    Are you running an internal Certificate Authority in your. server infrastructure?

    Since you don't have Linux servers are your running Windows so may have the CA role enabled along with Active Directory?

     

    If you have a CA, on the Junos device make a cerfiticate request.

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-pki-generate-certificate-request.html

     

    Then submit this on the Microsoft web interface for your CA role server.  The server will issue the certificate with the requests url and parameters.  Setup the DNS name that matches on your internal DNS servers.  

     

    And then load the certificate on the Junos .

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/request-security-pki-ca-certificate-load-high-end.html

     



  • 5.  RE: SSL Certificate(s) for J-Web Access

     
    Posted 07-04-2019 06:00

    Thank you for your considered and detailed response Steve.

     

    I don't currently have access to a CA, but will do in the near future. So unless there's an easy way to do it without one, I will hold off. However, I do have one question: will I need to distribute the certificates to clients via Group Policy so any client can access J-Web without being troubled by warning message?



  • 6.  RE: SSL Certificate(s) for J-Web Access

    Posted 07-04-2019 06:21
    Yes, CA certificate can be distributed to clients via Group Policy if you have lots of clients.
    BTW, where you stuck while trying with XCA tool?


  • 7.  RE: SSL Certificate(s) for J-Web Access

     
    Posted 07-04-2019 07:33

    Thank you for your contribution Nellikka.

     

    RE: XCA. On the Source tab of 'Create X509 Certificate', I am unable to select 'Use this certificate for signing' as shown in the screenshot, but I'm guessing the instructions are geared towards a different scenario.



  • 8.  RE: SSL Certificate(s) for J-Web Access

    Posted 07-04-2019 07:58

    I think you did not create root ceritificate first. Please follow this url to create root certificate and then follow previous links:

    https://campus.barracuda.com/product/campus/doc/28475773/how-to-create-certificates-with-xca/

     



  • 9.  RE: SSL Certificate(s) for J-Web Access
    Best Answer

    Posted 07-04-2019 08:40

    when you create a Microsoft Active Directory with a CA. 

    then join computers to the domain.

    These computers will have the CA as a trusted authority installed on them.

    So all the certificates you issue from that CA will be trusted then by these computers and no longer generate that error message in the browser.