You are browsing a read-only backup copy of Wikitech. The primary site can be found at

Juniper TLS certificate install

From Wikitech-static
Revision as of 05:46, 24 August 2022 by imported>Ayounsi (Add relevant task)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

In the fundraising environment, we use certificates from the pre-existing Puppet certificate authority to encrypt syslog traffic. We used the Puppet CA to generate a certificate for the SRX routers, so they can log securely to the fundraising central loggers.


Generate a client certificate

frpm1001:~$ sudo puppet cert generate

Copy the relevant certificates to the router (this assumes read permissions to /var/lib/puppet/ssl/* and pre-existing destination directories on the pfw)

frpm1001:~$ scp /var/lib/puppet/ssl/certs/ca.pem
frpm1001:~$ scp /var/lib/puppet/ssl/certs/
frpm1001:~$ scp /var/lib/puppet/ssl/private_keys/

Certificate reinstall/install

pfw3-codfw> clear security pki ca-certificate ca-profile frack-ca-profile

[no output]
pfw3-codfw> request security pki ca-certificate load ca-profile frack-ca-profile filename /var/tmp/ssl/certs/ca.pem

  49:98:40:62:4f:a2:f7:41:6f:4c:b2:5b:0e:81:6a:f5:0b:9a:49:ad (sha1)
  82:76:6e:43:ee:36:48:1c:c3:d2:ae:a3:fe:bd:2f:b2 (md5)
CA certificate for profile frack-ca-profile loaded successfully
pfw3-codfw> clear security pki local-certificate certificate-id pfw-codfw

[no output]
pfw3-codfw> clear security pki key-pair certificate-id pfw-codfw

Key pair deleted successfully
pfw3-codfw> request security pki local-certificate load certificate-id pfw-codfw filename /var/tmp/ssl/certs/ key /var/tmp/ssl/private_keys/

Local certificate loaded successfully
pfw3-codfw> clear services ssl initiation counters

[no output]


pfw3-codfw> file delete-directory /var/tmp/ssl recurse

[no output]

See also

task T312601 - Fundraising pfw rsyslog TLS errors