I've been working on setting up SSL VPN on an SRX (using Juniper Secure Connect) with a public wildcard certificate, and I ran into certificate validation issues until I started looking more closely at the certificate chain.
It made me realize that a lot of people focus on importing the server certificate and key, but not always the full intermediate chain. Browsers seem more forgiving because they can fetch intermediates automatically, but VPN clients are not.
What's your usual best practice when installing public CA certificates on SRX for SSL VPN? Do you always manually import the full chain? Any tips to quickly verify that the SRX is actually presenting the complete chain during the handshake?
I've been documenting some of these common SSL VPN certificate pitfalls on my site as well, since this seems to be a recurring issue in many deployments.
Curious to hear how others handle this in production environments.
------------------------------
[https://router-19216811.com/]
------------------------------