[j-nsp] certificates and configuration on MX-like devices

Chris Morrow morrowc at ops-netman.net
Thu Apr 26 21:10:40 EDT 2018


On Thu, 26 Apr 2018 19:45:35 -0400,
Phil Shafer <phil at juniper.net> wrote:
> 
> Chris Morrow writes:
> >ok, cool! so you want cert then key, great! (not clear on the
> >format... but..)
> 
> The easiest way to add certs to config is with the "load-key-file"
> knob:

sure... but ... that's not what the great-god-of-config-pipeline says we do :)
It turns out that:
  1) you can do them cert/key and key/cert (doesnt' seem matter)
  2) you need to make sure that only end-of-line is \n ... not other spaces :(

it would have helped a bit of the error was more clear :( helped me
anyway.  I think it'd also be nice if I could have loaded the key in
one element and cert in another... everyone who requires them jammed
together does the ordering differently from the last person :(

> >ok.. so that's actually: "Private key and Certificate string" It's
> >also not simple to find docs on this at the juniper support site :(
> 
> Here's a too-late-to-help-this-time URL:
> 
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ex-series-ssl-certificates-generating.html
>

thnx! it does (as you say next) not include the key (which has to have
it's passprhase removed) in the pem file, it uses the load-from-file option which may not be the preferred manner for the particular operator.

it also seems to suggest that using self-signed certs is ok (it's not,
really it's not... setup your own ca, mint certs from it, verify certs
on connect) a note in the docs that: "self signed certs invite people
to mitm your control/monitoring comms with your network... it invites
people to be you on your network and do what you can do...you don't
want that to happen, right?" would be great to see.

> It fails to mention that both sections are needed, though this
> kb article does:
> 
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB19726&cat=&actp=LIST
>

I'm unsure how I would  have found this document 'quickly', I did several searches for:
  "streaming telemetry ssl certificate"

tried limiting the results to 'router' things (checkbox in results
page)...  searching the kb/support/docs is harder than it seems like
it should be, oh well.

spreading the configuration requirements far and wide in the
support/docs seems counter-productive to letting people self-help to a
solution :( it's a shame that the docs aren't more clear and more
centralized.

> >If your primary/first interaction with 'documentation' is the
> >command-line usage, then ffs please be precise.
> 
> Apologies for this.

end of a long almost done week...
good times.

thanks for taking the time.


More information about the juniper-nsp mailing list