Exporting a X.509 certificate public key from Junos

I’ve just spent the last couple of hours trying to find a way to export the public key from a locally generated, self-signed X.509 certificate on a Juniper SRX-100 firewall. Apparently there is no Junos CLI command to do this, so after poking around the filesystem from a shell on the box, I found the location where Junos stores local certificates and key-pairs.

In the directory /cf/var/db/certs/common you should see at least the following two subdirectories:

drwx------   2 root   wheel   512 Jul 20 16:14 key-pair
drwx------   2 root   wheel   512 Jul 20 16:16 local

In the key-pair directory you should see files for each of your key-pairs, eg. self-cert.priv. In the local directory you will find the actual certificates, eg. self-cert.cert. Both the key-pairs and certificates are stored in binary DER format, which can be read by OpenSSL and converted to the more universal base64-encoded PEM format.

Private keys should really be left alone where they are on the Juniper, but you can safely copy the certificate to other locations, since it does not contain any private key material. Simply scp the certificate file to somewhere that has the OpenSSL tools installed, then use “openssl x509” to read the certificate:

daniel@thinkpad:~$ openssl x509 -in self-cert.cert -inform DER
-----BEGIN CERTIFICATE-----
MIIDSDCCAjCgAwIBAgIRAKybOo9tijNXkhgT9fe0ZFMwDQYJKoZIhvcNAQEFBQAw
TzELMAkGA1UEBhMCREUxJTAjBgNVBAoTHFNldmVudGggU2lnbmFsIEx0ZC4gJiBD
.....
co9vOYXqYv81xnIxg5I0brLqCzruKULy4zc6YHzJAGICMOw2wS9BwRkQUR1B2EZH
2QWUSn4Enj2JJkT3p044U8/q4BKdJ9V52mxQfA==
-----END CERTIFICATE-----

There you have it folks… a base64-encoded PEM-format public certificate.

Leave a Reply