I would like to rid myself of the pesky browser warnings about insecure HTTPS access to J-Web on my SRX devices. How can this be achieved with the minimum amount of administrative effort? It is not a problem if there is some cost involved in obtaining the certificates from an appropriate authority, but as access is only required via the internal network I'm guessing the solution is some kind of self-signed effort combined with some browser tweaking.
This is expected with the system-generated certificate when used for the HTTPS access. You need a local certificate which is trusted and signed.
I understand that you access the device internally in which case this might help. By generating your own SSL certificate.
Let me know the results.
Thanks,PradeepPlease Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Thank you for your reply.
I have seen both articles in my prior search. The first requires a Linux server, which I do not have access to, and the second must be out-of-date (2011) or contain error(s) in the instructions, as I tried to follow them, but a required option is greyed out.
Are you running an internal Certificate Authority in your. server infrastructure?
Since you don't have Linux servers are your running Windows so may have the CA role enabled along with Active Directory?
If you have a CA, on the Junos device make a cerfiticate request.
Then submit this on the Microsoft web interface for your CA role server. The server will issue the certificate with the requests url and parameters. Setup the DNS name that matches on your internal DNS servers.
And then load the certificate on the Junos .
Thank you for your considered and detailed response Steve.
I don't currently have access to a CA, but will do in the near future. So unless there's an easy way to do it without one, I will hold off. However, I do have one question: will I need to distribute the certificates to clients via Group Policy so any client can access J-Web without being troubled by warning message?
Thank you for your contribution Nellikka.
RE: XCA. On the Source tab of 'Create X509 Certificate', I am unable to select 'Use this certificate for signing' as shown in the screenshot, but I'm guessing the instructions are geared towards a different scenario.
I think you did not create root ceritificate first. Please follow this url to create root certificate and then follow previous links:
when you create a Microsoft Active Directory with a CA.
then join computers to the domain.
These computers will have the CA as a trusted authority installed on them.
So all the certificates you issue from that CA will be trusted then by these computers and no longer generate that error message in the browser.