Installing a SSL Certificate to Juniper Security Design vGW appliance
I would first like to start off saying that if you are not familiar with Linux, this one can be a bit of a pain the first time around. I eventually had to contact Juniper support to get the details on this and even they had a little trouble.
1) You will need to have to either SSH into the appliance or have console access. The preferred method would be to use SSH because the VMware console of the machine limits how much of previous commands you can see. Login to the appliance and type “advanced”.
2) Create a Key store and Private Key. This will be done using a Linux utility called “keytool”. You will be asked to provide passwords; Juniper suggests always using “altoraltor”
$JAVA_HOME/bin/keytool -genkey -alias “Name of Alias” -keyalg “Algorithm Type” -keysize “Size of Key” -keystore “Name of Key store”.jks
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore test.jks
3) Generate a CSR
/usr/lib/jvm/sun-java-6u11/jre/bin/keytool -certreq -keyalg “Algorithm Type” -alias “Name of Alias” -keysize “Size of key”-file “Name of CSR”.csr -keystore “Name of Key store”.jks
/usr/lib/jvm/sun-java-6u11/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -keysize 2048 -file test.csr -keystore test.jks
4) Retrieve a certificate from your Certificate of Authority. Make sure to download the chain. With a Microsoft CA this ends up being a .PB7 file.
6) If you end up with a Microsoft Chain in PB7 format, right click the file and open with “Crypto Shell Extensions”. From here you should be able to right click the CA/Sub-CA Certs and export them.
5) Use WinSCP or FastSCP to copy the certificate and CA/Sub-CA Certs to the same location as the key store file.
6) Install the SSL Certs into the key store
/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias “Name of Alias” -keystore “Name of keystore”.jks -file “certificate name”.cer
**Keep in mind that you must install the CA/Sub-CA certs before you can install the SSL Cert for the device, or you will get errors about the chain**
/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file CA.cer
/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file Sub-CA.cer
/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file test.cer
7) Gain sudo access
8 ) Transfer the key store file (jks) to /var/lib/altor/cert
scp /usr/bin/jvm/sun-java-6u11/jre/bin/”Name of Keystore”.jks /var/lib/altor/cert/”Name of Keystore”.jks
scp /usr/bin/jvm/sun-java-6u11/jre/bin/test.jks /var/lib/altor/cert/test.jks
9) Delete the public_keystore file
10) Copy Key store (jks) you created to public_keystore
cp “Name of Key store”.jks public_keystore
cp test.jks public_keystore
11) Change ownership and permissions on public_keystore
chown tomcat public_keystore
chgrp tomcat public_keystore
12) Restart the Tomcat Service
god restart tomcat