In this tutorial, you will learn how to install an SSL certificate on Juniper through the SSL VPN admin console. This is the same console used by Juniper Secure Access (SA) appliances, which later became Pulse Secure and are now sold as Ivanti Connect Secure, so the steps below apply whether your unit is branded Juniper, Pulse, or Ivanti.
Generate a CSR code on Juniper
Before you can install anything, you need a CSR (Certificate Signing Request) and a signed certificate from a Certificate Authority. On a Juniper SSL VPN, the CSR is created on the appliance itself: when you generate it, the device stores the matching private key locally. For that reason, generate the CSR on the same Juniper unit where you will install the certificate, and do not delete the pending CSR before the signed certificate is imported, or the private key goes with it. You have two options:
- Use our CSR Generator to create the CSR and private key, then upload both to the appliance.
- Generate the CSR on the device and follow our step-by-step tutorial on how to generate a CSR on Juniper.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your SSL certificate, continue with the installation below.
Install an SSL certificate on Juniper
Once the Certificate Authority sends you the certificate files, sign in to the Juniper admin console and follow the three steps below.
Step 1: Prepare your files
- Download and extract your SSL certificate and its intermediate CA certificate from the ZIP archive the CA sent you. The console accepts X.509 certificates in PEM or DER encoding, with the extensions .cer, .crt, .der, and .pem.
- If your certificate arrives as text rather than a file, paste its contents into a plain text editor and save it with the .cer extension.
- Do the same for the intermediate certificate and save it as a separate .cer file.
Note: some CAs ship two intermediate certificates for broader compatibility with older clients. If so, save each one as its own .cer file and import them one at a time in the next step.
Step 2: Import your intermediate certificate
- In the admin console, go to System > Configuration > Certificates > Device Certificates, then click Intermediate Device CAs.
- Click Import CA Certificate, browse to your intermediate certificate file, and click Import Certificate to upload it.
- A message confirms the upload. Click Done. If your CA provided two intermediate files, repeat this step for the second one.
Step 3: Import your SSL certificate
- Return to System > Configuration > Certificates > Device Certificates and click the matching Pending CSR link.
- On the Pending Certificate Signing Request page, go to the Import signed certificate section, browse to your primary SSL certificate file, and click Import.
- A confirmation message appears, and your certificate now shows in the list of Device Certificates. The appliance chains the certificate to the intermediate you imported in Step 2 automatically.
After the certificate is in place, bind it to the relevant virtual port or internal and external interface under Device Certificates so the appliance serves it to users, then save your changes.
Congratulations, your SSL certificate is now installed on your Juniper SSL VPN.
Test your Juniper SSL installation
Check the certificate for errors right after configuration. Our SSL Checker gives you an instant status report, confirms the chain is complete, and flags common vulnerabilities. Point the checker at the public hostname and port your Juniper VPN listens on.
Frequently Asked Questions
In the admin console, under System > Configuration > Certificates > Device Certificates. Import the intermediate certificate under Intermediate Device CAs first, then open the matching Pending CSR and use Import signed certificate to upload your SSL certificate.
Yes, it is the same product line under different owners. Juniper sold its Secure Access (SA) SSL VPN business, which was rebranded Pulse Secure and is now Ivanti Connect Secure. The admin console and the certificate import path are effectively identical, so these steps work across all three.
When you create a CSR in the Juniper console, the device stores the matching private key locally. The signed certificate can only be imported back into that same pending CSR, because it has to pair with that key. If you delete the pending CSR, the private key is deleted with it and the certificate becomes unusable.
X.509 device certificates in PEM or DER encoding, with the extensions .cer, .crt, .der, and .pem. The console also accepts PKCS #12 bundles with the .pfx or .p12 extension, which carry the certificate and private key together.
Yes. Import the intermediate under Intermediate Device CAs before importing your SSL certificate. Once both are present, the appliance chains them in the correct order automatically. Skipping the intermediate leaves an incomplete chain, which clients report as an untrusted certificate.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


