SSL VPN
Reply
Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0
Accepted Solution

Junos Pulse gives security warning for RapidSSL certificate

We have a MAG-SM160 version 7.1R1

I installed a commercial certificate from RapidSSL and associated it with the external cluster address. Firefox is happy. But when I connect with Junos Pulse, it gives a security alert saying that the site is untrusted.

I can make the warning go away by installing the RapidSSL certificate in the Java keystore on the client, in addition to the preinstalled Global Trust CA parent certificate.

 

This isn't a good solution forexternal users. Is this a known problem with Oracle Java, that I need to get a non-chained certificate instead ?

 

http://wiki.zimbra.com/index.php?title=Installing_a_RapidSSL_Commercial_Certificate

Moderator Moderator
Moderator
AJA
Posts: 130
Registered: ‎05-07-2010
0

Re: Junos Pulse gives security warning for RapidSSL certificate

I think - KB22625 should help you on this as I believe you must be seeing the same problem.

 

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

 

 

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: Junos Pulse gives security warning for RapidSSL certificate

No, that is a different issue, where the client is using a certificate for authentication.

 

The issue I have is "cosmetic" only - the user can click "always trust this certificate". As a security officer I deprecate that, and besides, it's annoying to have paid for a commercial certificate that offers no advanatage over a free one from our own CA.

Super Contributor
Kita
Posts: 458
Registered: ‎12-23-2010
0

Re: Junos Pulse gives security warning for RapidSSL certificate

Hello adaviel,

 

It sounds like the intermediate files were not installed correctly on the web server.  Since Firefox has a separate certificate store, it may be possible the intermediate already exist or could be validating a different chain which is missing from the Windows certificate store.

 

Could you provide the url where the ssl certificate is installed?  I can run a few tests.

 

Kris

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: Junos Pulse gives security warning for RapidSSL certificate

I don't quite follow you.

 

I generated a CSR on the MAG, then sent that to RapidSSL. They provided a certificate, which I imported into the MAG (which is a webserver now with a key and a certificate).

 

In both Firefox and Java on the client computer, the Global Trust CA root certificate is installed by default as a trusted authority. In Firefox, that is sufficient to validate the MAG webserver. In Junos Pulse, using the Java SSL library, it is not. I have to manually install, on each client system, the intermediate RapidSSL certificate into the Java keystore.

 

If you mean can I give you the URL to our MAG appliance, yes, but I would rather not do so on a public forum.

Is there a private message ability in these forums ? Else I'll just give my email.

Super Contributor
Kita
Posts: 458
Registered: ‎12-23-2010

Re: Junos Pulse gives security warning for RapidSSL certificate

I believe that is the step you are missing then.  You need to install the intermediate ca to the SA or MAG after installing the ssl certificate you received from RapidSSL.  If they are missing from the SA, it will assume the browser has all of the certificate needed to validate the certificate chain. 

 

If you click on the mail icon at the top, you can compose an email to me or you can send it directly to kkitajima@juniper.net.

Contributor
adaviel
Posts: 21
Registered: ‎05-10-2012
0

Re: Junos Pulse gives security warning for RapidSSL certificate

I think that's nailed it, thanks. Hard to tell as I need to manually remove the RapidSSL cert from the Java keystore

and then reconnect, which is like proving a negative. I should try from a different fresh client.

I will mark this as resolved, in any case.

 

For the benefit of anyone else reading this thread, the solution seems to be to download the RapidSSL certificate bundle from https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle... and install it as an custom intermediate CA on the MAG certificates configuration page.

Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: Junos Pulse gives security warning for RapidSSL certificate

thank you for the information on another SSL certifucate vendor that requires custom intermediary upload (VeriSign has been known as tiered environment for some time; i think thawte as well)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.