Self signed certificate will not work with certificate based VPN as it does not have trust level. You need external CA certifcate and it should be loaded on both SRX. You can configure your own local CA server on Windows Server or Linux and requests certificate from it or use certificate from Well known public CA certificate ($$$) .
SRX can not be configured as root CA server to sign certificate request.
I personally use the XCA tool for all internal certifcate signing. IF you are sure these SRX's do not need to use the certificate with any external machine, you may setup your own CA with the XCA tool.
Yup, that's the one. I don't see a point in exporting self-signed certs into it.
What you can do is:
1. Setup a Root CA on the tool
2. Setup intermediates (which won't be necessary for your setup AFAIK)
3. Create certificate requests on both SRX boxes, export them to the tool and get them signed with the CA you set up
4. Export the certs and load them on individual SRX-es, along with the CA cert
5. Configure your VPNs
I don't have any guide for XCA, but it it a very simple to use GUI. It uses OpenSSL in the backend, powerful, easy to use.
(If you are a linux person, forget XCA - you can directly use OpenSL CLI 🙂 )
Feel free to share screenshots if you run into any trouble.
You are Welcome - and thanks for the Kudos! 🙂
Keep us posted on how it goes.