I recently purchased a Juniper MAG SSL VPN device and wanted to authenticate my IOS devices to it, using the Junos Pulse client.

These are some very basic instructions for creating your own Certificate Authority (CA) and generating a certificate for your IOS device.

PREREQUISITES

sudo apt-get install openssl

CREATE OUR OWN CERTIFICATE AUTHORITY

Generate a new private key for our Certificate Authority (CA):

openssl genrsa -out cakey.pem 4096

Use the generated Certificate Authority (CA) private key to generate the Certificate Authority (CA) certificate.

The below command will generate a certificate valid for 365 days. You will need to modify the certificate information in the -subj option to reflect your organization. The Juniper VPN device will map the CN field of the certificate to the username.

openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem \
  -subj "/C=US/ST=California/L=Redwood City/O=Example/CN=Example CA"

GENERATE A DEVICE CERTIFICATE AND SIGN IT

Generate a new private key for your IOS device:

openssl genrsa -out devicekey.pem 4096

Use the generated device private key to generate a Certificate Signing Request (CSR).

The below command will generate a certificate valid for 365 days. You will need to modify the certificate information in the -subj option to reflect your organization. The Juniper VPN device will map the CN field of the certificate to the username.

openssl req -new -days 365 -key devicekey.pem -out devicecsr.pem \
  -subj "/C=US/ST=California/L=Redwood City/O=Example/CN=username@example.com"

Acting as our new Certificate Authority (CA), take the device’s CSR and output a certificate in PEM format. The below command will generate a certificate valid for 365 days.

openssl x509 -req -days 365 -in devicecsr.pem -CA cacert.pem -CAkey cakey.pem -set_serial 01 -out devicecert.pem

Export the device’s PEM certificate as a PKCS#12 file, required for IOS devices.

A PKCS#12 file is an archive format that contains both a private key and corresponding X.509 certificate.

When you run this command you will be prompted to enter a password. This password must be used when importing the certificate onto your IOS device.

openssl pkcs12 -export -out device.p12 -inkey devicekey.pem -in devicecert.pem -certfile devicecert.pem

IMPORT THE CA CERTIFCATE INTO THE JUNIPER VPN

For the VPN device to trust certificates signed by your newly created Certificate Authority (CA), we need to import the CA’s key into the VPN device. You want to import the cacert.pem certificate.

System > Configuration > Certificates > Trusted Client CAs > "Import CA Certificate..."

IMPORT THE DEVICE CERTIFCATE INTO YOUR IOS DEVICE

To import the newly created certificate into your IOS device, attach it to an email and send it to yourself. Open the email in the Mail.app application on your IOS device. You should see a device.p12 attachment to the email. When you click it, IOS will prompt you for the password you used when creating the PKCS#12 file and will then import the certificate into your device.

TROUBLESHOOTING CERTIFICATES

Here are some useful commands for viewing certificate contents:

openssl rsa -noout -text -in devicekey.pem
openssl req -noout -text -in devicecsr.pem
openssl rsa -noout -text -in cakey.pem
openssl x509 -noout -text -in cacert.pem
openssl pkcs12 -info -nodes -in ca.p12
openssl pkcs12 -info -nodes -in device.p12