[j-nsp] certificates and configuration on MX-like devices
Phil Shafer
phil at juniper.net
Thu Apr 26 23:06:12 EDT 2018
Chris Morrow writes:
>it would have helped a bit of the error was more clear :( helped me
>anyway. I think it'd also be nice if I could have loaded the key in
>one element and cert in another... everyone who requires them jammed
>together does the ordering differently from the last person :(
We're calling openssl's validation functions and reporting any
errors returned, since we want our code (in the UI) to be as
well-separated from the innards of ssl as possible. The "load-key-file"
accepts the key and cert in either order, rewriting them in the
"standard" openssl format.
>thnx! it does (as you say next) not include the key (which has to have
>it's passprhase removed) in the pem file, it uses the load-from-file option which may
>not be the preferred manner for the particular operator.
Yes, assigning the value directly is less forgiving, since it doesn't
perform validation. But IIRC the key/cert order still doesn't matter.
We write the value directly into /var/etc/ssl/local/ (with the "\n"s
unescaped).
>it also seems to suggest that using self-signed certs is ok (it's not,
>really it's not... setup your own ca, mint certs from it, verify certs
>on connect) a note in the docs that: "self signed certs invite people
>to mitm your control/monitoring comms with your network... it invites
>people to be you on your network and do what you can do...you don't
>want that to happen, right?" would be great to see.
True. I'll pass this along.
>I'm unsure how I would have found this document 'quickly', I did several searches for:
> "streaming telemetry ssl certificate"
FWIW, I googled "junos ssl local certificates" and got a ton of
pki-related entries, so did "junos ssl local certificates -pki"
and the docs were the first item returned.
>spreading the configuration requirements far and wide in the
>support/docs seems counter-productive to letting people self-help to a
>solution :( it's a shame that the docs aren't more clear and more
>centralized.
Completely agree.
Thanks,
Phil
More information about the juniper-nsp
mailing list