SRX

Expand all | Collapse all

SRX to SRX VPN with self signed certificates

Jump to Best Answer
  • 1.  SRX to SRX VPN with self signed certificates

    Posted 03-23-2019 01:52
    Hi,

    I’m looking to create a VPN between 2 SRX devices. I want to use self signed certificates to authenticate the VPN.

    Does anyone know the procedure for this?
    #SRX


  • 2.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-23-2019 18:57

    Self signed certificate will not work with certificate based VPN as it does not have trust level. You need external CA certifcate and it should be loaded on both SRX. You can configure your own local CA server on Windows Server or Linux and requests certificate from it or use certificate from Well known public CA certificate ($$$) . 

     

     

     

     



  • 3.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-24-2019 01:37
    Thanks for the reply,

    I’m really trying to avoid using our main CA for this one, is there anyway I can use one of these SRX devices as the CA and sign itself and the other SRX?

    So in effect, one SRX is the CA and they both get signed that way?

    Thanks


  • 4.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-24-2019 02:14

    SRX can not be configured as root CA server to sign certificate request.

     



  • 5.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-24-2019 03:07
    Can I create a self signed certificate and simply export the public key out to the other SRX?

    Then do the same on the other SRX so essentially each SRX has the others public key to create trust?

    I remember old Cisco world could do this ... thanks


  • 6.  RE: SRX to SRX VPN with self signed certificates

     
    Posted 03-24-2019 03:34

    I personally use the XCA tool for all internal certifcate signing. IF you are sure these SRX's do not need to use the certificate with any external machine, you may setup your own CA with the XCA tool.



  • 7.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-24-2019 03:50
    Thanks for that.

    Just to confirm, is that this tool:
    https://sourceforge.net/projects/xca/

    Can I export self signed certificates to this and then manage signing them between multiple SRX firewalls?

    Don’t suppose you have anymore literature for this?

    Thanks


  • 8.  RE: SRX to SRX VPN with self signed certificates
    Best Answer

     
    Posted 03-24-2019 04:02

    Yup, that's the one. I don't see a point in exporting self-signed certs into it.

     

    What you can do is:

    1. Setup a Root CA on the tool

    2. Setup intermediates (which won't be necessary for your setup AFAIK)

    3. Create certificate requests on both SRX boxes, export them to the tool and get them signed with the CA you set up

    4. Export the certs and load them on individual SRX-es, along with the CA cert

    5. Configure your VPNs

     

    I don't have any guide for XCA, but it it a very simple to use GUI. It uses OpenSSL in the backend, powerful, easy to use.

    (If you are a linux person, forget XCA - you can directly use OpenSL CLI 🙂 )

    Feel free to share screenshots if you run into any trouble.



  • 9.  RE: SRX to SRX VPN with self signed certificates

    Posted 03-24-2019 04:06
    Thanks very much


  • 10.  RE: SRX to SRX VPN with self signed certificates

     
    Posted 03-24-2019 04:13

    You are Welcome - and thanks for the Kudos! 🙂

    Keep us posted on how it goes.