SRX

 View Only
last person joined: 5 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Using a Public CA Cert for SSL Forward Proxy

    Posted 20 days ago

    Hi all, 

    Is it possible to use a public CA cert as my Root-CA in ssl proxy configuration so I do not have to add self-signed certs to all computers downstream of the SRX?



  • 2.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 20 days ago
    Edited by bkamen 20 days ago

    Do you mean an "official" cert signed by a CA? 

    LetsEncrypt is handled directly in JunOS after like 22.4 IIRC. 
    I have it set up for one client so Juniper Secure Connect is happy and works. But it's only valid for the SRX (because of the hostname)

    At home, I have my own server that handles LetsEncrypt and downloads wildcard certs, but I haven't taken the time to figure out pushing them to an SRX system yet. (I don't run an SRX at home.)

    So - that would be the 2 routes I'd do first. 

    LetsEncrypt is really easy to set up on Linux. Read up the docs available around the net for setting up LetsEncrypt if that's the way you want to go. 

    But are you asking about having a cert on your SRX to be the man-in-the-middle so inside clients don't complain? 

    Did you look at this?
    https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy.html

      -Ben



    ------------------------------
    Ben Kamen
    ------------------------------



  • 3.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 20 days ago

    Hi Ben, yes i'm talking about Mitm so inside clients don't complain. 

    I've used that link to configure most of it, but there's not much detail about loading a external CA for MITM use. 




  • 4.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    You're essentially looking for your SRX to act as a publicly-trusted sub-CA, with ability to issue a certificate for any website.

    Unless you're operating at the scale of a nation state, I don't believe you're likely to be able to get the necessary certificate to do this.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    Hmm, okay so the only way to do this is with a self-signed cert, and then upload it to each computer?  I just want to confirm. 




  • 6.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    If you have an established internal certificate authority, you should get a sub-CA certificate issued for the SRX. In the absence of that, yes, you need to make computers trust the SRX self-signed MITM certificate. If you are in a Windows domain environment, you can do that with a group policy.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 7.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    We do not, is that hard to setup? In your opinion, would it be worth it? 




  • 8.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    I don't think it's worth it just for this.

    If you find yourself in situations like this often, then you could consider setting up an internal Certificate Authority. Otherwise, it's just another thing to worry about and maintain.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 9.  RE: Using a Public CA Cert for SSL Forward Proxy

    Posted 19 days ago

    Thank you :)