I need to inspect HTTPS traffic over SKYATP, so I configured a forward proxy and attached it to the security policy.
I loaded a certifcate signed by a public CA to SRX and used it in the forward proxy, but when clients tried to browse HTTPS they got certificate error.
- Do I have to load the signed SRX certifcate to clients browsers, as its already signed by a public CA which is already in the browser CA's list?
-When generating the certificate request in SRX, is it required to fill correct values for the subject, domain, IP...?
"as the firewall is not joined to a domain and dont have public IP"
- Is there a way to test if the imported SRX certificate is valid "from the SRX itself" and communicate with the CA proberly?
Whats the error shown on the clients' side?
Can you share the SSL profile configuration?
Can you provide the following commands in order to confirm that the trust chain is complete:
show security pki local-certificate detail certificate-id <certificate-id-name>
request security pki local-certificate verify certificate-id <certificate-id-name>
show security pki ca-certificate detail <ca-profile ca-profile-name>
Attached the SSL configuration and the error shown in client side "I cant share the certificate outputs"
Could you please answer my questions raised in the previous update.
The error you are receiving is because the SRX was not able to authenticate the Facebook server and because of this, it sends a Dummy cert to the PC in order to inform about this error. See "Server Authentication" section:
When the SRX contacts Facebook and the server provides its local cert, the SRX will try to authenticate it with the CA certs stated under:
set services ssl proxy profile ssl-inspect-profile trusted-ca [Trusted_CA-Certs]
I just connected to Facebook and received the cert attached in file "Facebook cert". We can see that this cert was issued/signed by "Digicert SHA2 High Assurance Server CA" which in an Intermediate CA. In attached file "Facebook cert-3" we can see that "Digicert" signed/issued that Intermediate CA cert hence "Digicert" is the Root CA. We need to make sure that both, the Intermediate CA cert and Root CA cert are loaded in the SRX if we want it to trust the local cert provided by Facebook.
I believe you need to change the value "sky-atp-ca" to "all" so that the SRX will check all installed CA certs when authenticating Facebook or any other external website. Note that "all" option means that the SRX will check all installed CA certs when authenticating an external cert. Juniper packages come with pre-installed CA certs that can be loaded with the following command:
request security pki ca-certificate ca-profile-group load ca-group-name ca-default filename default
Check "Trusted CA List" section in the following doc:
Try installing the Trusted CA list provided by Juniper and using option "all" under [edit services ssl proxy profile ssl-inspect-profile trusted-ca]. If the issue persists after that, then we will confirm if the SRX does have the Root CA cert (Digicert) and the Intermediate CA cert (Digicert SHA2 High Assurance Server CA) installed correctly.
I imported the CA cert list to SRX, but I got a bowser certificate error that "this certificate cant be used for this purpose", which means it cant be used as a trusted root certificate.
So I used a self signed certificate and imported it to the client trusted root certificate folder, then I was able to browse https over microsoft explorer only, Although I imported the cerificate to the other explorers directories, any idea here?
So, is the first reported issue no longer happening? Please note that my previous suggestions were to be applied on the SRX only.
Assuming that the first issue was solved, my understanding is that in the PCs we need to install a cert that was previously self-signed by the SRX. See step 1 in the following doc and let me know if you followed a similar process:
Yes I used the self-signed certificate, loaded it to clients, and loaded the list of CA certs, and then were able to browse the https traffic.
Thanks for support
Welcome the the wonderful world of x509. I ran into the same issue when trying to use a cert signed by a internal root CA. You need to check the following fields on the cert.
X509v3 Basic Constraints: criticalCA:TRUE, pathlen:(greater than 0 should at least be 1)
X509v3 Key Usage: criticalDigital Signature, Certificate Sign, CRL Sign