I am planning to setup a site to site VPN with Palo based on certificate.
I am planning to use Palo as a CA to generate certificate then load this certificate into SRX, is it possible to do it this way?
Please note that the CSR is not created within the SRX, so it will be importing the certificate with private key.
As Palo is able to generate certificate and then export it with private key in pem encoded format, so I guess the question really is,
Can SRX load an external generated certificate as well as private key?
When I am trying to load it, it gave error message like this,
root@SRX01> request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key passphrase password certificate-id test1
node1:--------------------------------------------------------------------------error: error load certid<test1>
Actually I am having the same problem even trying to just load an external certificate.
root@SRX01> request security pki local-certificate load filename /cf/var/tmp/cert3.crt certificate-id cert3error: error load certid<cert3>
Can anyone help?
How was the local certificate generated? from a PA firewall? Or did you generate a CSR from the SRX itself?
This is the process I've had success for loading local cert for https:
1. Generate a key pair.
request security pki generate-key-pair certificate-id SRX001 size 2048 type rsa
2. Generate PKCS#10 request
request security pki generate-certificate-request certificate-id SRX001 subject "CN=SRX001,OU=IT Department,O=My Company,L=Oahu,S=HI,C=US" domain-name SRX001.mycompany.com
Generated certificate request-----BEGIN CERTIFICATE REQUEST-----xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-----END CERTIFICATE REQUEST-----
3. have the CSR signed by CA.
4. Upload signed cert to the firewall, then issue the following command (if HA, can only be performed on active node):
request security pki local-certificate load certificate-id SRX001 filename /var/tmp/SRX001-local.cer
5. verify certificate loaded on the device:
show security pki local-certificate
following https://live.paloaltonetworks.com/docs/DOC-6215, i was able to create root CA on the Palo.
Also created local certificate signed by Palo, signed by the same root CA.
I exported both the root CA and local cert generated by PA, as PEM format, with password.
I used scp to upload these 2 files to SRX210.
1. I created a ca-profile on the SRX:
set security pki ca-profile SRX_PA_VPN ca-identity SRX_PA_VPN
set security pki ca-profile SRX_PA_VPN revocation-check disable
2. load root certificate:
SRX210> request security pki ca-certificate load ca-profile SRX_PA_VPN filename /cf/var/tmp/cert_Root_CA_VPN.pemFingerprint: ad:af:b2:54:43:49:c4:b9:fd:fb:e5:6c:42:ee:92:94:b4:c5:2a:ef (sha1) dd:f9:4e:8f:c2:7e:0c:45:6c:31:7c:51:8b:ff:67:d7 (md5)Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile SRX_PA_VPN loaded successfully
3. "show security pki ca-certificate detail" to verify
4. load local certficate:
SRX210> request security pki local-certificate load certificate-id srx001 filename /cf/var/tmp/cert_srx001.pem passphrase srxpaloalto key /cf/var/tmp/cert_srx001.pemLocal certificate loaded successfully
5. "show security pki local-certificate detail" to verify.
I'm able to use the local cert for https:
set system services web-management https pki-local-certificate srx001
Hope this helps.
This is very helpful indeed, thank you very much for your time, now I am able to import both CA and external certificate, however when I try to verify the cert generated by Palo, it failed.
root@srx# set security pki ca-profile testca ca-identity testca
root@srx# set security pki ca-profile testca revocation-check disable
root@srx# commit and-quit
root@srx>request security pki local-certificate load filename /var/tmp/test.crt key /var/tmp/test.key certificate-id test passphrase test
Local certificate loaded successfully
root@srx> request security pki ca-certificate load filename /var/tmp/testca.crt ca-profile testca
Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile test3 loaded successfully
However when try to verify the cert, it failed
root@srx> request security pki local-certificate verify certificate-id test
Local certificate test verification failed
Do you have any idea?
Thanks for your help!
It's successful for me...
SRX001> request security pki local-certificate verify certificate-id srx001Local certificate srx001 verification success
Can you make sure the date/time on the FW is correct? also do a "show security pki local-certificate" and check for the certificate's validity?
Thank you for your help Sam, I have done it again and now it works.