[j-nsp] certificates and configuration on MX-like devices

Phil Shafer phil at juniper.net
Thu Apr 26 23:06:12 EDT 2018 

Chris Morrow writes:
>it would have helped a bit of the error was more clear :( helped me
>anyway.  I think it'd also be nice if I could have loaded the key in
>one element and cert in another... everyone who requires them jammed
>together does the ordering differently from the last person :(

We're calling openssl's validation functions and reporting any
errors returned, since we want our code (in the UI) to be as
well-separated from the innards of ssl as possible.  The "load-key-file"
accepts the key and cert in either order, rewriting them in the
"standard" openssl format.

>thnx! it does (as you say next) not include the key (which has to have
>it's passprhase removed) in the pem file, it uses the load-from-file option which may
>not be the preferred manner for the particular operator.

Yes, assigning the value directly is less forgiving, since it doesn't
perform validation.  But IIRC the key/cert order still doesn't matter.
We write the value directly into /var/etc/ssl/local/ (with the "\n"s
unescaped).

>it also seems to suggest that using self-signed certs is ok (it's not,
>really it's not... setup your own ca, mint certs from it, verify certs
>on connect) a note in the docs that: "self signed certs invite people
>to mitm your control/monitoring comms with your network... it invites
>people to be you on your network and do what you can do...you don't
>want that to happen, right?" would be great to see.

True.  I'll pass this along.

>I'm unsure how I would  have found this document 'quickly', I did several searches for:
>  "streaming telemetry ssl certificate"

FWIW, I googled "junos ssl local certificates" and got a ton of
pki-related entries, so did "junos ssl local certificates -pki"
and the docs were the first item returned.

>spreading the configuration requirements far and wide in the
>support/docs seems counter-productive to letting people self-help to a
>solution :( it's a shame that the docs aren't more clear and more
>centralized.

Completely agree.

Thanks,
 Phil

More information about the juniper-nsp mailing list