SRX

Expand all | Collapse all

SSL Forward Proxy With Signed Certificate

Jump to Best Answer
  • 1.  SSL Forward Proxy With Signed Certificate

    Posted 02-22-2019 18:36

    Hello,

     

    I was able to implement SSL FP on our SRX devices. The thing is I used locally generated certificate with add-ca-constraint  option. The thing is I need to use a certificate which is signed by our CA (Windows 2012 CA if that matters). If I reference a certificate that was signed by the CA on end host I am getting certificate issuer cannot be found error.

     

    image.png

    Any help is greatly appriciated 
    Thanks



  • 2.  RE: SSL Forward Proxy With Signed Certificate

     
    Posted 02-22-2019 19:54

    Hello,

     

    Since the browser is complaining about the issuer not found, I believe it is one of the two:

    > Root CA used to sign the SRX certificate is not available in the browser

    > Browser is not receiving the correct signed certificate. Are you able to view the certificate to see if it is indeed, signed by your CA incstead of a Public CA?

     

    Regards,

     

    Vikas



  • 3.  RE: SSL Forward Proxy With Signed Certificate

     
    Posted 02-22-2019 20:05

    Hi 

     

    Just an additional point I forgot to ask. Is the SRX Cert signed by a Root or a Subordinate CA? Although I dont think it matters much in a Domain environmeent, where the trust goes upto the root.

     

    https://knowledge.digicert.com/solution/SO3554.html

     

    I would check this and then probably focus on the certificate I am receiving from the SRX.

     

    Regards,

     

    Vikas



  • 4.  RE: SSL Forward Proxy With Signed Certificate

    Posted 02-23-2019 06:04
      |   view attached

    Hi Vikas,

     

    Thanks for replying. If I https directly to the box (fxp0) then the browser is happy, since it sees the Root CA which it trusts as well. 

     



  • 5.  RE: SSL Forward Proxy With Signed Certificate

     
    Posted 02-23-2019 06:56

    Hi,

     

    The certificate for device management (fxp) and that when you get during SSL proxy are two different ones.

     

    Were you able to verify the ceritifcate defined under the ssl proxy profile?

    Has the certificate been given certificate signing rights?

     

    Regards,

     

    Vikas



  • 6.  RE: SSL Forward Proxy With Signed Certificate

    Posted 02-23-2019 07:17

    > Were you able to verify the certificate defined under the ssl proxy profile? 

        It is the same certificate.

    > Has the certificate been given certificate signing rights?

        No and I need to find out how to do that with our root CA.

     

    I was looking at the templates that our Root CA has and found an interesting one titled Subordinate Certification Authority. I used it to sign the request but the SRX refuses to load the cert.

     

    root@SRX# request security pki local-certificate load certificate-id XXXX filename /var/tmp/certnew.cer            
    error: error load certid<XXXXX>


  • 7.  RE: SSL Forward Proxy With Signed Certificate
    Best Answer

     
    Posted 02-25-2019 03:41

    Hello,

     

    The certificates need to be different. The one for the JWEB is a web-server certificate while the one for the SSL proxy should be a Subordinate CA Certificate signing certificate.

     

    I believe the error is because you are trying to load the certificate from the CA to the same certificate-id.

     

    My suggestion:

    > Create a new certificate signing request (CSR)

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10175&cat=J_SERIES&actp=LIST

    > Get this signed by the CA as a Subordinate CA certificate. You can refer to a thread in the below forum link

    https://forums.juniper.net/t5/SRX-Services-Gateway/Prepare-CA-for-SSL-Proxy-configuration/td-p/321061

    > Load the signed certificate on the firewall for the new cert-id

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10176&actp=METADATA

    > Reference the new cert-id in the ssl-proxy profile

    > If you still have issues can you share a screenshot of the "Key Usage" in field in the certificate

    https://knowledge.digicert.com/solution/SO18140.html

     

    I hope this helps. Regards,

     

    Vikas



  • 8.  RE: SSL Forward Proxy With Signed Certificate

    Posted 02-25-2019 09:21

    Thanks Vikas. It helped a lot!