SRX

Expand all | Collapse all

SRX site to site VPN with Palo using self signed certificate

Jump to Best Answer
  • 1.  SRX site to site VPN with Palo using self signed certificate

    Posted 01-13-2015 09:17

    Hi Guys,

     

    I am planning to setup a site to site VPN with Palo based on certificate.

     

    I am planning to use Palo as a CA to generate certificate then load this certificate into SRX, is it possible to do it this way?

     

    Please note that the CSR is not created within the SRX, so it will be importing the certificate with private key.

     

    Thanks.



  • 2.  RE: SRX site to site VPN with Palo using self signed certificate

    Posted 01-13-2015 09:49

    As Palo is able to generate certificate and then export it with private key in pem encoded format, so I guess the question really is, 

     

    Can SRX load an external generated certificate as well as private key?

     

    When I am trying to load it, it gave error message like this,

     

    root@SRX01> request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key passphrase password certificate-id test1

    node1:
    --------------------------------------------------------------------------
    error: error load certid<test1>



  • 3.  RE: SRX site to site VPN with Palo using self signed certificate

    Posted 01-13-2015 13:46

    Actually I am having the same problem even trying to just load an external certificate.

     

    root@SRX01> request security pki local-certificate load filename /cf/var/tmp/cert3.crt certificate-id cert3
    error: error load certid<cert3>

     

    Can anyone help?

     

    Thanks.....



  • 4.  RE: SRX site to site VPN with Palo using self signed certificate

     
    Posted 01-14-2015 06:41

    Hello.

     

    How was the local certificate generated?  from a PA firewall?  Or did you generate a CSR from the SRX itself?

     

     

     

    This is the process I've had success for loading local cert for https:

     

     

    1. Generate a key pair.

     

    request security pki generate-key-pair certificate-id SRX001 size 2048 type rsa

     

     

    2. Generate PKCS#10 request

     

    request security pki generate-certificate-request certificate-id SRX001 subject "CN=SRX001,OU=IT Department,O=My Company,L=Oahu,S=HI,C=US" domain-name SRX001.mycompany.com

     

    Generated certificate request
    -----BEGIN CERTIFICATE REQUEST-----
    xxxxxxxxxxxxxxxxxxxxxxxxxxx
    xxxxxxxxxxxxxxxxxxxxxxxxxxx
    -----END CERTIFICATE REQUEST-----

     

    3. have the CSR signed by CA.

     

    4. Upload signed cert to the firewall, then issue the following command (if HA, can only be performed on active node):

     

    request security pki local-certificate load certificate-id SRX001 filename /var/tmp/SRX001-local.cer


     5. verify certificate loaded on the device:

     

    show security pki local-certificate

     

     

     

     

    Regards,

    Sam



  • 5.  RE: SRX site to site VPN with Palo using self signed certificate
    Best Answer

     
    Posted 01-14-2015 07:20

    PA5050: 6.0.6

    SRX210: 12.1X44-D40

     

    following https://live.paloaltonetworks.com/docs/DOC-6215, i was able to create root CA on the Palo.

    Also created local certificate signed by Palo, signed by the same root CA.

     

    I exported both the root CA and local cert generated by PA, as PEM format, with password.

     

    I used scp to upload these 2 files to SRX210.

     

    1. I created a ca-profile on the SRX:

     

    configure

    set security pki ca-profile SRX_PA_VPN ca-identity SRX_PA_VPN

    set security pki ca-profile SRX_PA_VPN revocation-check disable

    commit and-quit

     

    2. load root certificate:

     

    SRX210> request security pki ca-certificate load ca-profile SRX_PA_VPN filename /cf/var/tmp/cert_Root_CA_VPN.pem
    Fingerprint:
      ad:af:b2:54:43:49:c4:b9:fd:fb:e5:6c:42:ee:92:94:b4:c5:2a:ef (sha1)
      dd:f9:4e:8f:c2:7e:0c:45:6c:31:7c:51:8b:ff:67:d7 (md5)
    Do you want to load this CA certificate ? [yes,no] (no) yes

    CA certificate for profile SRX_PA_VPN loaded successfully

     

    3. "show security pki ca-certificate detail" to verify

     

    4. load local certficate:

     

    SRX210> request security pki local-certificate load certificate-id srx001 filename /cf/var/tmp/cert_srx001.pem passphrase srxpaloalto key /cf/var/tmp/cert_srx001.pem
    Local certificate loaded successfully

     

    5. "show security pki local-certificate detail" to verify.

     

     

    I'm able to use the local cert for https:

    set system services web-management https pki-local-certificate srx001

     

     

     

    Hope this helps.

     

    Sam



  • 6.  RE: SRX site to site VPN with Palo using self signed certificate

    Posted 01-14-2015 08:06

    Hi Sam,

     

    This is very helpful indeed, thank you very much for your time, now I am able to import both CA and external certificate, however when I try to verify the cert generated by Palo, it failed.

     

    root@srx# set security pki ca-profile testca ca-identity testca
    [edit]
    root@srx# set security pki ca-profile testca revocation-check disable
    [edit]
    root@srx# commit and-quit 
    commit complete
    root@srx>request security pki local-certificate load filename /var/tmp/test.crt key /var/tmp/test.key certificate-id test passphrase test
    Local certificate loaded successfully
    root@srx> request security pki ca-certificate load filename /var/tmp/testca.crt ca-profile testca 
    Fingerprint:
    7a:7a:89:fa:40:f2:7e:73:fe:c5:ca:5e:f6:5b:a2:2a:cf:c8:7e:26 (sha1)
    cd:56:d4:ed:5f:3e:43:ef:ce:ef:d0:a2:75:da:c8:76 (md5)
    Do you want to load this CA certificate ? [yes,no] (no) yes
    CA certificate for profile test3 loaded successfully

     However when try to verify the cert, it failed

     

    root@srx> request security pki local-certificate verify certificate-id test 
    Local certificate test verification failed

     Do you have any idea?

     

    Thanks for your help!



  • 7.  RE: SRX site to site VPN with Palo using self signed certificate

     
    Posted 01-14-2015 09:29

    hmm.

     

    It's successful for me...

     

    SRX001> request security pki local-certificate verify certificate-id srx001
    Local certificate srx001 verification success

     

     

     

    Can you make sure the date/time on the FW is correct?  also do a "show security pki local-certificate" and check for the certificate's validity?

     

    Regards,

    Sam



  • 8.  RE: SRX site to site VPN with Palo using self signed certificate

    Posted 01-15-2015 15:23

    Thank you for your help Sam, I have done it again and now it works.