SSL Certificate Install on a Juniper SRX for Pulse Secure

problem?

Customer mentioned they wanted the Pulse Splash Page from SRX300 to not have selfsigned certificate.

When browsing to https://«customerip» you receive a certificate error, before getting the ‘The SRX no longer provides hosting of the Pulse Client for direct download.’ message. This is because the SSL certificate is self signed. The way around that is loading a trusted SSL certificate.

fix it?

Have the customer chose a new DNS subdomain and create a new DNS pointer record to external IP of firewall for the new subdomain.

Customer should be able to provide wildcard cert for *.domainname.com or if they have a specific subdomain certificate that will work too.

• Received a Cert.pem (Certificate Chain) and Cert.Key (Private Key) from the customer.
  • Opened Cert.pem and copied the section starting with —–BEGIN CERTIFICATE—–, ending with —–END CERTIFICATE—– to a new text file.
  • Opened Cert.key, this should begin with —–BEGIN RSA PRIVATE KEY—–, ending with —–END RSA PRIVATE KEY—- copy to the new text file we copied the certificate information to.
  • Save this new file as CertKey.pem
  • It should look something similiar to the image below

    

SCP CertKey.pem to /var/tmp on the SRX.

• You may have trouble getting into the SRX with SCP if you running JUNOS Release 19.1R1 or later. Follow the link below for reference.
• https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/sftp-server-configuration.html

SSH to the SRX

• We set the web-management certificate because Pulse on an SRX listens on tcp/443 by default

    `set security certificates local wildcard load-key-file /var/tmp/CertKey.pem`
    `set services web-management https local-certificate wildcard`
  

Commit changes and test by going to new subdomain, it should load with no errors. You may have restart your browser for the certificate to load properly.