SRX Services Gateway
Reply
Visitor
kolka_10
Posts: 8
Registered: ‎10-31-2009
0

Root CA+ OpenSSL + SRX240

Hello forum

Need your help for some clarifications. Spend all weekend to get it work - and nothing help. Search by documentations forums googled ...

So I have SRX240 and want to set up PKI with certificate. I m talk about "Digital Certificates" page 448 "junos-security-swconfig-security.pdf" 

***************************************

 

To use a digital certificate to authenticate your identity when establishing a secure

VPN connection, you must first do the following:

 

Obtain a certificate authority (CA) certificate from which you intend to obtain a

personal certificate, and then load the CA certificate in the device.

 

The CA certificate can contain a certificate revocation list (CRL) to identify invalid

certificates.

 

Obtain a local certificate (also known as a personal certificate) from the CA whose

 

 

 

CA certificate you have previously loaded, and then load the local certificate in

the device. The local, or end-entity (EE), certificate establishes the identity of the

Juniper Networks device with each tunnel connection.

***********************************

 

By simple words:

1. Get CA root certificate ca.crt - file

2. Get SRX204 certificate let say srx240.crt  - where last signed by private key of CA root ca.key

 

 

******************************************

My steps ...

 

1. CLI to srx240

 

1.1 Run following commad  to generate private key for certificate "request security pki generate-key-pair certificate-id srx240 size 1024"
Output: Generated key pair srx240, key size 1024 bits

So, private key generated - NOTE: This is a private key corresponded to certificate srx240.

1.2  Now let create ca-profile by following: "set security pki ca-profile juniper-ca ca-identity linux-box"

Ok, from here I have a questions and documentation doesn't clear it for me ..

 

ca-profile - the root CA configuration definitions - SHOULD this box "linux-box" be available to srx240 for connectivity? Or not ? (I would like to get my linux-box offsite)

By my undestanding not - if I'll provide valid CA certificate ca.crt and point that ca-profile to that ca.crt ...

 

1.3 The last step is create certificate request for my certificate-id "srx240" by following command "request security pki generate-certificate-request certificate-id srx240 subject "CN=David Jons" ip-address 10.0.0.10"

Ok now we have certificate request for srx240 and it lloks like:

*****************

Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBdjCB4AIBADAVMRMwEQYDVQQDEwpEYXZpZCBKb25zMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDNtafEMaJGwjOElJX7ccRFL418d9w6BrfDzvyWrBC0VkL0
LBfoskAHY2PHU8PtVIvAqEu2ws6uwF5BESuEeY5vqVFlypa1gVlKq6Tvdmzk7UaE
BupozWO5FFfJH5bBZT3aZ2kvNcMi+eoJrnFMCuXyNFvnveMfK/jrkILvT/7UywID
AQABoCIwIAYJKoZIhvcNAQkOMRMwETAPBgNVHREECDAGhwQKAAAKMA0GCSqGSIb3
DQEBBQUAA4GBABXy8RGvze7+5/SG1M5u/o39SEvtxCFAgmg9xtwal5C1+QvYoqXs
LiYScuvRQwdSq1i9O17lW5mzXbymYhomvJb5LRroKoVy8pZeG2pVBTovbuK+pdag
qdF4qXky0FUW8cndAHp9mOdAqWWlp3+rAIS4EeLtm/ZuHx3YB0LYs0IW
-----END CERTIFICATE REQUEST-----
Fingerprint:
20:9c:8b:5a:bc:b8:10:cf:d2:17:b5:d6:79:c9:d3:25:90:ed:41:27 (sha1)
01:71:2b:33:de:5d:33:74:85:3c:b8:c6:55:5c:9d:d8 (md5)

***********************************************

Copy to ffile srx240.csr from line "-----BEGIN CERTIFICATE REQUEST-----" till line "-----END CERTIFICATE REQUEST-----" , the rest Fingerprint not interesting ...

 

 

2. On the linux-box with openssl(version: 0.9.8g 19 Oct 2007) we need create CA private key, then CA root certificate , when sign srx240.csr with ca.key and ca.crt

2.1 Create new private key for CA Authority "openssl genrsa -des3 -out ca.key 1024" - the file ca.key is our private key for CA Authority.

2.2 Create root CA ( this CA will be self-signed cause it a higher in chains) "openssl req -new -x509 -days 3650 -key ca.key -out ca.crt "  Give the strong password, answer to questions.That command will create ca.crt (type x509) certificate with 10 years of exparations.

2.3 Now we need sign our srx240.csr with our newly created ca.key and ca.crt. Upload file by winscp to linux-box (in binary mode) ad put it under default location of ssl /etc/ssl  - Now run command "openssl x509 -req -days 3650 -in srx240.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out srx240.crt"

2.4 Now we have the 2 files requred by documentations ca.crt and srx.crt . Copy them to /var/tmp on srx240 by winscp

 

3. Now we "tell" to srx240 to load CACertificate file ca.crt and local-certificate SIGNED srx240.crt >. Let do it

3.1 Load CA Certificate by "request security pki ca-certificate load ca-profile juniper-ca filename /var/tmp/ca.cert"

Fingerprint:
  c4:92:a9:48:c9:f2:34:64:21:e5:85:06:d5:bd:4a:38:02:53:95:4f (sha1)
  a8:1b:0f:1c:da:0e:56:f1:3f:13:89:8a:22:b9:36:fd (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile juniper-ca loaded successfully


3.2 Load local-certificate srx240.crt into Junioer box by "request security pki local-certificate load certificate-id srx240 filename /var/tmp/srx240.crt"

local-certificate loaded successfully

 

 

 Looks ok , but  ... "request security pki ca-certificate verify ca-profile juniper-ca"
CA certificate juniper-ca verification failed

WHY !!! the same problem with local-certificate

What I'm miss why signed certificate srx240.crt and ca.crt both not pass verifications ??

Thank for help

and sorry for long listing

Visitor
kolka_10
Posts: 8
Registered: ‎10-31-2009

Re: Root CA+ OpenSSL + SRX240

Looks I found the problem "subjectAltName" deffinitions

read this doc "J Series / SRX Series IPSec VPN with PKI Certificates Primer"

Later I'll wrote all procedure regarding certificates on openssl

Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008

Re: Root CA+ OpenSSL + SRX240

[ Edited ]

Here is the procedure if you are using MS Certificate Services (and it assumes you know how to submit and issue a certificate using MSCS)

 

 

user@srx240-01> request security pki generate-key-pair certificate-id srx240-01 size 2048
user@srx240-01# set security pki ca-profile dc01 ca-identity MyCA revocation-check disable crl disable on-download-failure
user@srx240-01> request security pki generate-certificate-request certificate-id srx240-01 domain-name srx240-01.theodore.vaniderstine.com email netadmin@vaniderstine.com ip-address 10.54.20.1 subject DC=theodore.vaniderstine.com,CN=srx240-01.theodore.vaniderstine.com,OU=TESTING,O=MyCompany,L=Lawrenceville,ST=Georgia,C=US

copy to your CA and issue the certificate, remember to save it as base64 PEM

use scp to copy the certificate to /var/tmp/srx240-01.cer

user@srx240-01> request security pki local-certificate load certificate-id srx240-01 filename /var/tmp/srx240-01.cer
user@srx240-01> request security pki ca-certificate load ca-profile dc01 filename /var/tmp/dc01.cer

user@srx240-01# set system services web-management https pki-local-certificate srx240-01 interface ge-0/0/15.0

 There are plenty of openssl tutorials (some way worse than others) on the net showing you how to build your own CA.   This is one of the ones I used.

 

http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php

 

On my CA (CentOS 5.4), I used the default /etc/pki/CA hierarchy as follows:

 

directories:
/etc/pki/CA/certs contains signed certificates
/etc/pki/CA/iis contains pkcs12 certs for iis
/etc/pki/CA/keys contains server keys
/etc/pki/CA/private contains CA key and cert
/etc/pki/CA/requests contains certificate signing requests
/etc/pki/CA/scripts contains my scripts

scripts: all take the FQDN as $1
create_csr openssl req -new -key keys/$1.key -out requests/$1.csr
create_key openssl genrsa -out keys/$1.key -des3 1024
create_pkcs12 openssl pkcs12 -export -in certs/$1.cer -inkey keys/$1.key -out iis/$1.pfx
decrypt_key openssl rsa -in keys/$1.key -out keys/$1.rsa.key -text
sign_csr openssl ca -cert private/ca.crt -keyfile private/ca.key -in requests/$1.csr -out certs/$1.cer -days 1095

order of operations:
on srx, generate key-pari
on srx, generate certificate signing request

on linux, create a file in the requests directory with the same value as the CN= field (which should be the FQDN)
on linux, change to /etc/pki/CA directory
on linux, execute scripts/sign_csr [FQDN]
on linux, scp /etc/pki/CA/certs/[FQDN].cer srx240-01.theodore.vaniderstine.com:/var/tmp/srx240-01.cer

on srx, load certificate
on srx, load ca certificate
on srx, set web management

 Just remember that your browser must trust your private CA, otherwise you've just wasted 15 minutes.   If you have control of your windows GPO, or have a friendly SysAdmin, you can push your private CA as a trusted authority for IE/Firefox/etc. Especially if you are going to be using this CA to sign other webservers in your company.

 

 

 

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: Root CA+ OpenSSL + SRX240

[ Edited ]

FYI, the syntax of the generate-certificate-request on 10.0r1.8 on an EX4200 DOES NOT accept the email tag...

 

See Kevin's post for installing SSL certs on EX's:

 

http://forums.juniper.net/t5/Ethernet-Switching/EX-SSL-Certificate/m-p/20901#M738

 

The only thing i'd do differently is use scp instead of ftp.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Visitor
kolka_10
Posts: 8
Registered: ‎10-31-2009

Re: Root CA+ OpenSSL + SRX240

Stine hello

 

Unfortunally -you point me how to create Cetificate definitions for Dynamic VPN and for client web-browser.

 

I try to set up very simple env:

 

192.168.192.0/24 -->213.9.29.7 <--> INTERNET<-->62.0.107.59-->172.16.1.0/24

 

Where :

 

1. 192.168.192.0 - Private LAN behind of SRX240

2. 213.9.29.7 - IP address for ge-0/0/0.0 interface on SRX240

3. 62.0.107.59 -IP address for eth1 on Ubuntu Server with Strongswan IPsec gateway

4. 172.16.1.0  - Private LAN behind of Linux

 

The VPN MUST use X509 Certificates !!

 

Now:

 

1. The Root CA certificate loaded and verifyed into SRX 240 - this part done ( MS CA self signed certificate, I try also with openssl -same result)

2. Local SRX240 certificate loaded and verified into SRX240 - signed by Root-CA ( no problem at all)

3. The same RooT-CA certificate loaded into Linux box (Check by ipsec command - certificate accepted without any problem)

4. The Linux local certificate loaded into Lunux - certificate signed by same Root-CA and accepted by linux without any problem

 

So each side has Root-CA and they own local-certificates - each side - verifiyed and accepted those Root-CA's and local-certificates

 

Then I try to get up certificate what-ever from which side I got error in file:

/var/log/pkid :

*****************************

Dec  6 16:27:02 pkid_read_msg: message arrival
Dec  6 16:27:02 Connection params. fd=14, hdr_read=0, hdr_remnant=0payload_read=0 payload_remnant=0
Dec  6 16:27:02 fresh message conn=0x7e0e00 hdr_remnant=0 hdr_read=0
Dec  6 16:27:02 read fresh fresh message conn=0x7e0e00 hdr_remnant=0 hdr_read=12
Dec  6 16:27:02 pkid_process_find_public_key_req Find Public Key
Dec  6 16:27:02 Cannot allocate data structure to verify certificate.

Dec  6 16:27:02 pkid_auth_send_answer: conn is 7e0e00 rqst_cb is 7fe000 result is 8
Dec  6 16:27:02 pkid_rqst_cb_send: rqst_cb is 0x7fe000 rply hdr len is12 and payload len is 0
Dec  6 16:27:02 pkid_auth_send_answer: reply sent result was 0
Dec  6 16:28:13 pkid 3 seconds timer off 512 times, pid 980
Dec  6 16:28:16 checkLdapResponse
Dec  6 16:41:12 checkLdapResponse
**********************************************************

 

NOW Forum take a note !!!!

 

This is not problem of IKE phase-1 - cause no error in KMD file !!! - The IKE phase-1 just stuck .... no phase-2 comming in !!!

 

For some reason Juniper - try to validate Linux local certificate and fail with this

 

Some config parths:

 

root@oceannew# show security pki ca-profile open-ssl
ca-identity Root-CA;
revocation-check {
    disable;
    crl {
        disable on-download-failure;
    }
}

[edit]
root@oceannew#

 

 

**************************************************

[edit]
root@oceannew# show security ike proposal nikolay-ike-proposal
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;

[edit]
root@oceannew# show security ike policy nikolay-ike-policy
mode main;
proposals nikolay-ike-proposal;
certificate {
    local-certificate oceannew;
    trusted-ca use-all;
    peer-certificate-type x509-signature;
}

[edit]
root@oceannew# show security ike gateway nikolay-gate
ike-policy nikolay-ike-policy;
dynamic hostname msk-gate.google.com;
external-interface ge-0/0/0.0;

[edit]
root@oceannew#

**************************************************************

 

msk-gate.google.com - is my linux box

 

 

If here some one from dev team ?? Can you explain please why pki complain on certificate verifications?

 

"Cannot allocate data structure to verify certificate"

 

What is possible steps to debug it more then just

traceoptions flag ALL???

 

 

Ticket opened to Juniper support, almost 2 weeks ago - no result  ...

 

 

Thank for any help or any clue.

 

 

B.W. I'm with email conversations with Andreas Steffen  - the formal father of strongswan project - he sad:

********************************************

Hello Nikolay,

the problem is that Juniper expects strongSwan to send
its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which
is quite unusual:


> 003 "juniper" #1:
>  ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload


strongSwan can parse such payloads (e.g. Windows XP sends them
if there is a multi-level certificate chain) but currently cannot
construct them since there was never a need. We have full PKCS#7
functionality in our scepclient tool but it hasn't be integrated
into the pluto daemon.

***************************************************************

 

 

The PSK and any other methods work fine ...as well 2 Linux boxes with same certifcates VPNing without any probelm by 5 minutes of configurations

 

 

Nikolay

 

Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: Root CA+ OpenSSL + SRX240

I don't have an answer for you, all of my clients are windows boxes. 

 

I can say that the instructions I gave were for NO CRL CHECKING, so you may have to modify them if you are going to expose a CRL server (internally/externally) for certificate validation.

 

Anyone who can answer Nicolay's question is welcome to do so. :smileywink:

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Contributor
jeje-none
Posts: 21
Registered: ‎07-31-2009
0

Re: Root CA+ OpenSSL + SRX240

He gave the answer himself:

 

http://www.mail-archive.com/users@lists.strongswan.org/msg01262.html

 

any link related to this bug on juniper.net ?

Regular Visitor
JohnCobalt
Posts: 5
Registered: ‎10-13-2009
0

Re: Root CA+ OpenSSL + SRX240

Hello,

 

I'm going thru the same pain in configuring a site-to-site IPsec VPN using rsa-signatures/certificates between SRX240-HM (10.0R2.10) and MX (9.5R4.3) with MultiServices DPC. CA and certificates have been produced with openssl 0.9.8b. I've come across the same 'CA certificate verification failed' message when querying SRX to verify them.

 

admin@srx240> request security pki ca-certificate verify ca-profile MyCa

CA certificate MyCa verification failed

 

The MX does not show the 'verify' command as on SRX. The following command shows the certificate cache:

 

admin@mx> show services ipsec-vpn certificates

Service set: SSET1, Total entries: 3
  Certificate cache entry: 12
    Flags: Non-root Not trusted << This is the self-signed certificate for my own CA
    Issued to: Test Certification Authority, Issued by: Test Certification Authority
    Alternate subject: jon@company.com
    Validity:
      Not before: 2010 Mar 23rd, 12:10:35 GMT
      Not after: 2013 Mar 22nd, 12:10:35 GMT

  Certificate cache entry: 11
    Flags: Non-root Not trusted
    Issued to: srx240.company.com, Issued by: Test Certification Authority
    Validity:
      Not before: 2010 Mar 24th, 16:58:19 GMT
      Not after: 2011 Mar 24th, 16:58:19 GMT

  Certificate cache entry: 10
    Flags: Non-root Not trusted
    Issued to: mx.company.com, Issued by: Test Certification Authority
    Validity:
      Not before: 2010 Mar 24th, 16:48:42 GMT
      Not after: 2011 Mar 24th, 16:48:42 GMT

 

admin@mx> show security pki ca-certificate detail
Certificate identifier: MyCA
  Certificate version: 3
  Issuer:
    Organization: Company, Organizational unit: Test Department,
    Country: GB, Common name: Test Certification Authority
  Subject:
    Organization: Company, Organizational unit: Test Department,
    Country: GB, Locality: London, Common name: Test Certification Authority
  Validity:
    Not before: 2010 Mar 26th, 11:07:21 GMT
    Not after: 2011 Mar 26th, 11:07:21 GMT
  Public key algorithm: rsaEncryption(1024 bits)
    d4:08:d0:51:82:bb:d6:0a:5c:7a:c6:80:f1:01:93:c5:1f:14:70:e7
    de:20:b9:b2:44:c4:44:00:ee:bc:34:a8:4a:6e:3e:32:08:db:70:c9
    64:d0:b5:68:ea:9d:e2:7f:03:4f:1b:94:3e:8d:5c:40:66:e0:c9:25
    b5:fc:7f:c7:64:1c:a1:b7:3e:3d:d5:de:50:b8:cc:45:bb:e7:be:a8
    88:96:0e:3b:98:63:dc:25:4e:28:87:47:6b:eb:ff:71:cd:a2:66:d2
    3e:e0:30:dc:ef:89:70:29:ad:cf:dd:3f:57:12:23:42:3a:ae:34:46
    49:5a:ca:51:2d:cc:99:e3
  Signature algorithm: sha1WithRSAEncryption
  Fingerprint:
    bc:76:e2:c5:a2:28:c0:ec:0d:2e:2c:89:72:9a:d8:51:97:6c:b4:90 (sha1)
    f2:0c:92:06:80:03:aa:bb:ad:e8:67:64:9f:4c:ce:87 (md5)
  Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

 

- x509v3 extension for the self-signed CA certificate are:

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

basicConstraints = CA:true

keyUsage = cRLSign, keyCertSign, keyEncipherment, digitalSignature << tried adding all these in the end

nsCertType = sslCA, emailCA, objsign

 

The Security Configuration Guide says (Release 9.6, page 440): "The CA server can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. [..] Note: The following CAs are supported: Entrust, Microsoft, and Verisign."

 

I exported an Entrust's CA certificate chain from my browser and loaded into the SRX as a ca-certificate. Verification process works in this case:

 

admin@srx240> ...-profile MyCa filename entrust.p7c        
Fingerprint:
  89:39:57:6e:17:8d:f7:05:78:0f:cc:5e:c8:4f:84:f6:25:3a:48:93 (sha1)
  9d:66:6a:cc:ff:d5:f5:43:b4:bf:8c:16:d1:2b:a8:99 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile MyCa loaded successfully

admin@srx240> ...-certificate verify ca-profile MyCa         
CA certificate MyCa verified successfully

admin@srx240> ...rtificate ca-profile MyCa detail           
Certificate identifier: MyCa
  Certificate version: 3
  Serial number: 389b113c
  Issuer:
    Organization: Entrust.net, Organizational unit: www.entrust.net,
    Common name: Entrust.net Secure Server Certification Authority
  Subject:
    Organization: Entrust.net, Organizational unit: www.entrust.net,
    Common name: Entrust.net Secure Server Certification Authority
  Validity:
    Not before: 02- 4-2000 17:20
    Not after: 02- 4-2020 17:50
  Public key algorithm: rsaEncryption(1024 bits)
    30:81:89:02:81:81:00:c7:c1:5f:4e:71:f1:ce:f0:60:86:0f:d2:58
    7f:d3:33:97:2d:17:a2:75:30:b5:96:64:26:2f:68:c3:44:ab:a8:75
    e6:00:67:34:57:9e:65:c7:22:9b:73:e6:d3:dd:08:0e:37:55:aa:25
    46:81:6c:bd:fe:a8:f6:75:57:57:8c:90:6c:4a:c3:3e:8b:4b:43:0a
    c9:11:56:9a:9a:27:22:99:cf:55:9e:61:d9:02:e2:7c:b6:7c:38:07
    dc:e3:7f:4f:9a:b9:03:41:80:b6:75:67:13:0b:9f:e8:57:36:c8:5d
    00:36:de:66:14:da:6e:76:1f:4f:37:8c:82:13:89:02:03:01:00:01
  Signature algorithm: md5WithRSAEncryption
  Distribution CRL:
    /O=Entrust.net/OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.)/OU=(c) 2000 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1
  Use for key: CRL signing, Certificate signing
  Fingerprint:
    89:39:57:6e:17:8d:f7:05:78:0f:cc:5e:c8:4f:84:f6:25:3a:48:93 (sha1)
    9d:66:6a:cc:ff:d5:f5:43:b4:bf:8c:16:d1:2b:a8:99 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

 

I've checked the openssl config file and try to find out whether attributes may be different/missing. The basicConstraints and keyUsage should be enough (at least for the self-signed CA cert), but I have a feeling that the only CAs permitted are official ones (mentioned above).

 

IKE negotiation fails with an authentication error message (IKE code 24). The subjectAltName for the local certificates had the IP address (in case of the MX), and the full hostname (in case of the SRX), and these were used as local-id on their configuration. But I can't make sure this bit is right if the routers do not 'trust' my own ca-certificate.

 

John

 

Trusted Contributor
stine
Posts: 434
Registered: ‎05-05-2008
0

Re: Root CA+ OpenSSL + SRX240

I don't have an answer.  I'm currently trying to convert my srx-to-ns50 vpn from pre-shared-keys to certificates, and I've been working on it for almost 9 hours today....

If I figure it out, I'll post it.  And if someone else sends me a link (I have a query posted to the ScreenOS forum), I'll link to it here.

 

 

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.