[ScreenOS] How to change the certificate that is used for SSL (HTTPS) WebUI Management

SUMMARY:

This article provides information on how to change the certificate that is used for SSL (HTTPS) WebUI Management.

SYMPTOMS:

Beginning with ScreenOS 5.1, the firewall creates its own self-signed certificate, which is used for SSL (HTTPS) WebUI management. Customers may want to use their own certificate, which is signed by their own CA (Certificate Authority).

CAUSE:

SOLUTION:

Load the CA certificate on the firewall.
Generate a PKCS certificate request for the CA to sign.
Load the local certificate on the firewall.
Via the WebUI, go to Configuration > Admin > Management and change the certificate from Default - System Self-Signed Cert to the Local certificate.
Via the CLI, use the following commands:
```
get pki x509 list local-cert
get pki x509 cert <ID num>
set ssl cert-hash <subject name hash>
```
For example:

ssg5-v92-wlan-> get pki x509 list local-cert Getting LOCAL CERT ... IDX ID num X509 Certificate Subject Distinguish Name ================================================================================ 0000 233832475 LOCAL CERT friendly name <27> CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700 1695,OU=support,O=juniper,C=US, Expire on 05-08-2009 20:03, Issued By: CN=JTAC,OU=Juniper,OU=net, ================================================================================ ssg5-v92-wlan-> get pki x509 cert 233832475 -001 233832475 LOCAL CERT friendly name <27> CN=ssg5,CN=ssg5-v92-wlan.jnpr.net,CN=rsa-key,CN=016805200700 1695,OU=support,O=juniper,C=US, Expire on 05-08-2009 20:03, Issued By: CN=JTAC,OU=Juniper,OU=net, Serial Number: <6132536c000000000002> subject alt name extension: email(1): (empty) fqdn(2): (ssg5-v92-wlan.jnpr.net) ipaddr(7): (empty) no renew finger print (md5) <da98859d c567dd63 acb3d3d3 ce4c9399> finger print (sha) <3ba4a8ff 615ac1cc 80da98fd 9bec017a ba1aa61d> subject name hash: <24290b21 3a02baef a29c380d 739f60b6 3c1f54f5> obj type: <1> use count: <1> flag <00000000> ssg5-v92-wlan-> set ssl enable ssg5-v92-wlan-> set ssl encrypt "rc4" md5 ssg5-v92-wlan-> set ssl cert-hash "24290B213A02BAEFA29C380D739F60B63C1F54F5"