Home > ADCS, PKI, ScreenOS, SSL > Configuring Juniper ScreenOS/SSG to use Domain PKI

Configuring Juniper ScreenOS/SSG to use Domain PKI

Most of this information I took from : http://www.digicert.com/csr-creation-netscreen.htm

1) Browse to the web URL for the SSG5 – HTTPS://NW-SSG5A.  Yup, we get an error.


2) Login to the device with ROOT credentials (ie: netscreen or similar if you’ve renamed it.).  I don’t think you can do this with a regular read-write admin user.

3) Browse to OBJECTS -> CONFIGURATION.  Click NEW:


4) Enter your info, similar to the iDRAC.  Change the keypair to RSA and the bit strength to 2048.  Click GENERATE:


It will take a while and it tells you that.  Generating a 2048 key pair takes a while.   When it’s done you’ll see:


5) Click SAVE TO FILE and do that:


6) Go to your Subordinate CA (NW-ADCS1).  Open a command prompt, and let’s generate a cert:


Remember the command line is: certreq –submit –attrib “CertificateTemplate: WebServer” NW-SSG5A_pkcs10.txt(that is what you saved in #5 above).  Save your resulting file as NW-SSG5A.cer and click SAVE.

7) On the SSG, click on OBJECTS -> CERTIFICATES.


You’re going to see the existing request.  At the top is a LOAD: CERT.  Click BROWSE and find the file…


Click OPEN.  Then click LOAD next to the BROWSE button.

8) Now you’re going to see that the SSL is present:




10) See the CERTIFICATE option that shows “DEFAULT – SYSTEM SELF-SIGNED CERT”?  Click the drop down and select the new certificate:


Click APPLY at the bottom of the page.

I got a pop up error that complained and then refreshed the page.

11) Open a new browser window, and browse to the FQDN/Hostname of the unit (ie: HTTPS://NW-SSG5A or HTTPS://NW-SSG5A.NETWISE.CA)


Look at that – no SSL error!

Categories: ADCS, PKI, ScreenOS, SSL
  1. November 19, 2012 at 9:54 PM

    Hi would you mind stating which blog platform you’re working with? I’m going to start my own blog soon but I’m having a hard time deciding between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking
    for something unique. P.S My apologies for being off-topic but I
    had to ask!

    • November 21, 2012 at 10:17 PM

      Theodore: Wish I could tell you much, but I spent precious little time getting the blog setup as I’m the type to fall down a ‘rabbit hole’ and spend too much time worried about design. So I found WordPress, and have an account there, and picked a theme, then just started posting.

      Blog at WordPress.com. Theme: INove by NeoEase.

  1. January 21, 2015 at 10:52 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: