[j-nsp] certificates and configuration on MX-like devices

Chris Morrow morrowc at ops-netman.net
Thu Apr 26 23:40:30 EDT 2018


On Thu, 26 Apr 2018 23:06:12 -0400,
Phil Shafer <phil at juniper.net> wrote:
> 
> Chris Morrow writes:
> >it would have helped a bit of the error was more clear :( helped me
> >anyway.  I think it'd also be nice if I could have loaded the key in
> >one element and cert in another... everyone who requires them jammed
> >together does the ordering differently from the last person :(
> 
> We're calling openssl's validation functions and reporting any
> errors returned, since we want our code (in the UI) to be as
> well-separated from the innards of ssl as possible.  The "load-key-file"
> accepts the key and cert in either order, rewriting them in the
> "standard" openssl format.
> 
> >thnx! it does (as you say next) not include the key (which has to have
> >it's passprhase removed) in the pem file, it uses the load-from-file option which may
> >not be the preferred manner for the particular operator.
> 
> Yes, assigning the value directly is less forgiving, since it doesn't
> perform validation.  But IIRC the key/cert order still doesn't matter.
> We write the value directly into /var/etc/ssl/local/ (with the "\n"s
> unescaped).

ok. good to know.

> >it also seems to suggest that using self-signed certs is ok (it's not,
> >really it's not... setup your own ca, mint certs from it, verify certs
> >on connect) a note in the docs that: "self signed certs invite people
> >to mitm your control/monitoring comms with your network... it invites
> >people to be you on your network and do what you can do...you don't
> >want that to happen, right?" would be great to see.
> 
> True.  I'll pass this along.
> 

terrific, thanks!

> >I'm unsure how I would  have found this document 'quickly', I did several searches for:
> >  "streaming telemetry ssl certificate"
> 
> FWIW, I googled "junos ssl local certificates" and got a ton of

google? who uses that old thing.. I was using the search feature on
www.juniper.net :)

> pki-related entries, so did "junos ssl local certificates -pki"
> and the docs were the first item returned.
>

ok

> >spreading the configuration requirements far and wide in the
> >support/docs seems counter-productive to letting people self-help to a
> >solution :( it's a shame that the docs aren't more clear and more
> >centralized.
> 
> Completely agree.
> 
> Thanks,
>  Phil


More information about the juniper-nsp mailing list