SRX Services Gateway
SRX Services Gateway

Root CA+ OpenSSL + SRX240

10.31.09   |  
‎10-31-2009 01:36 PM

Hello forum

Need your help for some clarifications. Spend all weekend to get it work - and nothing help. Search by documentations forums googled ...

So I have SRX240 and want to set up PKI with certificate. I m talk about "Digital Certificates" page 448 "junos-security-swconfig-security.pdf" 



To use a digital certificate to authenticate your identity when establishing a secure

VPN connection, you must first do the following:


Obtain a certificate authority (CA) certificate from which you intend to obtain a

personal certificate, and then load the CA certificate in the device.


The CA certificate can contain a certificate revocation list (CRL) to identify invalid



Obtain a local certificate (also known as a personal certificate) from the CA whose




CA certificate you have previously loaded, and then load the local certificate in

the device. The local, or end-entity (EE), certificate establishes the identity of the

Juniper Networks device with each tunnel connection.



By simple words:

1. Get CA root certificate ca.crt - file

2. Get SRX204 certificate let say srx240.crt  - where last signed by private key of CA root ca.key




My steps ...


1. CLI to srx240


1.1 Run following commad  to generate private key for certificate "request security pki generate-key-pair certificate-id srx240 size 1024"
Output: Generated key pair srx240, key size 1024 bits

So, private key generated - NOTE: This is a private key corresponded to certificate srx240.

1.2  Now let create ca-profile by following: "set security pki ca-profile juniper-ca ca-identity linux-box"

Ok, from here I have a questions and documentation doesn't clear it for me ..


ca-profile - the root CA configuration definitions - SHOULD this box "linux-box" be available to srx240 for connectivity? Or not ? (I would like to get my linux-box offsite)

By my undestanding not - if I'll provide valid CA certificate ca.crt and point that ca-profile to that ca.crt ...


1.3 The last step is create certificate request for my certificate-id "srx240" by following command "request security pki generate-certificate-request certificate-id srx240 subject "CN=David Jons" ip-address"

Ok now we have certificate request for srx240 and it lloks like:


Generated certificate request
20:9c:8b:5a:bc:b8:10:cf:d2:17:b5:d6:79:c9:d3:25:90:ed:41:27 (sha1)
01:71:2b:33:de:5d:33:74:85:3c:b8:c6:55:5c:9d:d8 (md5)


Copy to ffile srx240.csr from line "-----BEGIN CERTIFICATE REQUEST-----" till line "-----END CERTIFICATE REQUEST-----" , the rest Fingerprint not interesting ...



2. On the linux-box with openssl(version: 0.9.8g 19 Oct 2007) we need create CA private key, then CA root certificate , when sign srx240.csr with ca.key and ca.crt

2.1 Create new private key for CA Authority "openssl genrsa -des3 -out ca.key 1024" - the file ca.key is our private key for CA Authority.

2.2 Create root CA ( this CA will be self-signed cause it a higher in chains) "openssl req -new -x509 -days 3650 -key ca.key -out ca.crt "  Give the strong password, answer to questions.That command will create ca.crt (type x509) certificate with 10 years of exparations.

2.3 Now we need sign our srx240.csr with our newly created ca.key and ca.crt. Upload file by winscp to linux-box (in binary mode) ad put it under default location of ssl /etc/ssl  - Now run command "openssl x509 -req -days 3650 -in srx240.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out srx240.crt"

2.4 Now we have the 2 files requred by documentations ca.crt and srx.crt . Copy them to /var/tmp on srx240 by winscp


3. Now we "tell" to srx240 to load CACertificate file ca.crt and local-certificate SIGNED srx240.crt >. Let do it

3.1 Load CA Certificate by "request security pki ca-certificate load ca-profile juniper-ca filename /var/tmp/ca.cert"

  c4:92:a9:48:c9:f2:34:64:21:e5:85:06:d5:bd:4a:38:02:53:95:4f (sha1)
  a8:1b:0f:1c:da:0e:56:f1:3f:13:89:8a:22:b9:36:fd (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile juniper-ca loaded successfully

3.2 Load local-certificate srx240.crt into Junioer box by "request security pki local-certificate load certificate-id srx240 filename /var/tmp/srx240.crt"

local-certificate loaded successfully



 Looks ok , but  ... "request security pki ca-certificate verify ca-profile juniper-ca"
CA certificate juniper-ca verification failed

WHY !!! the same problem with local-certificate

What I'm miss why signed certificate srx240.crt and ca.crt both not pass verifications ??

Thank for help

and sorry for long listing

SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

11.01.09   |  
‎11-01-2009 05:30 AM

Looks I found the problem "subjectAltName" deffinitions

read this doc "J Series / SRX Series IPSec VPN with PKI Certificates Primer"

Later I'll wrote all procedure regarding certificates on openssl

SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

[ Edited ]
11.22.09   |  
‎11-22-2009 04:02 AM

Here is the procedure if you are using MS Certificate Services (and it assumes you know how to submit and issue a certificate using MSCS)



user@srx240-01> request security pki generate-key-pair certificate-id srx240-01 size 2048
user@srx240-01# set security pki ca-profile dc01 ca-identity MyCA revocation-check disable crl disable on-download-failure
user@srx240-01> request security pki generate-certificate-request certificate-id srx240-01 domain-name email ip-address subject,,OU=TESTING,O=MyCompany,L=Lawrenceville,ST=Georgia,C=US

copy to your CA and issue the certificate, remember to save it as base64 PEM

use scp to copy the certificate to /var/tmp/srx240-01.cer

user@srx240-01> request security pki local-certificate load certificate-id srx240-01 filename /var/tmp/srx240-01.cer
user@srx240-01> request security pki ca-certificate load ca-profile dc01 filename /var/tmp/dc01.cer

user@srx240-01# set system services web-management https pki-local-certificate srx240-01 interface ge-0/0/15.0

 There are plenty of openssl tutorials (some way worse than others) on the net showing you how to build your own CA.   This is one of the ones I used.


On my CA (CentOS 5.4), I used the default /etc/pki/CA hierarchy as follows:


/etc/pki/CA/certs contains signed certificates
/etc/pki/CA/iis contains pkcs12 certs for iis
/etc/pki/CA/keys contains server keys
/etc/pki/CA/private contains CA key and cert
/etc/pki/CA/requests contains certificate signing requests
/etc/pki/CA/scripts contains my scripts

scripts: all take the FQDN as $1
create_csr openssl req -new -key keys/$1.key -out requests/$1.csr
create_key openssl genrsa -out keys/$1.key -des3 1024
create_pkcs12 openssl pkcs12 -export -in certs/$1.cer -inkey keys/$1.key -out iis/$1.pfx
decrypt_key openssl rsa -in keys/$1.key -out keys/$1.rsa.key -text
sign_csr openssl ca -cert private/ca.crt -keyfile private/ca.key -in requests/$1.csr -out certs/$1.cer -days 1095

order of operations:
on srx, generate key-pari
on srx, generate certificate signing request

on linux, create a file in the requests directory with the same value as the CN= field (which should be the FQDN)
on linux, change to /etc/pki/CA directory
on linux, execute scripts/sign_csr [FQDN]
on linux, scp /etc/pki/CA/certs/[FQDN].cer

on srx, load certificate
on srx, load ca certificate
on srx, set web management

 Just remember that your browser must trust your private CA, otherwise you've just wasted 15 minutes.   If you have control of your windows GPO, or have a friendly SysAdmin, you can push your private CA as a trusted authority for IE/Firefox/etc. Especially if you are going to be using this CA to sign other webservers in your company.




Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

[ Edited ]
12.03.09   |  
‎12-03-2009 09:02 AM

FYI, the syntax of the generate-certificate-request on 10.0r1.8 on an EX4200 DOES NOT accept the email tag...


See Kevin's post for installing SSL certs on EX's:


The only thing i'd do differently is use scp instead of ftp.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

12.06.09   |  
‎12-06-2009 06:53 AM

Stine hello


Unfortunally -you point me how to create Cetificate definitions for Dynamic VPN and for client web-browser.


I try to set up very simple env: --> <--> INTERNET<-->>


Where :


1. - Private LAN behind of SRX240

2. - IP address for ge-0/0/0.0 interface on SRX240

3. -IP address for eth1 on Ubuntu Server with Strongswan IPsec gateway

4.  - Private LAN behind of Linux


The VPN MUST use X509 Certificates !!




1. The Root CA certificate loaded and verifyed into SRX 240 - this part done ( MS CA self signed certificate, I try also with openssl -same result)

2. Local SRX240 certificate loaded and verified into SRX240 - signed by Root-CA ( no problem at all)

3. The same RooT-CA certificate loaded into Linux box (Check by ipsec command - certificate accepted without any problem)

4. The Linux local certificate loaded into Lunux - certificate signed by same Root-CA and accepted by linux without any problem


So each side has Root-CA and they own local-certificates - each side - verifiyed and accepted those Root-CA's and local-certificates


Then I try to get up certificate what-ever from which side I got error in file:

/var/log/pkid :


Dec  6 16:27:02 pkid_read_msg: message arrival
Dec  6 16:27:02 Connection params. fd=14, hdr_read=0, hdr_remnant=0payload_read=0 payload_remnant=0
Dec  6 16:27:02 fresh message conn=0x7e0e00 hdr_remnant=0 hdr_read=0
Dec  6 16:27:02 read fresh fresh message conn=0x7e0e00 hdr_remnant=0 hdr_read=12
Dec  6 16:27:02 pkid_process_find_public_key_req Find Public Key
Dec  6 16:27:02 Cannot allocate data structure to verify certificate.

Dec  6 16:27:02 pkid_auth_send_answer: conn is 7e0e00 rqst_cb is 7fe000 result is 8
Dec  6 16:27:02 pkid_rqst_cb_send: rqst_cb is 0x7fe000 rply hdr len is12 and payload len is 0
Dec  6 16:27:02 pkid_auth_send_answer: reply sent result was 0
Dec  6 16:28:13 pkid 3 seconds timer off 512 times, pid 980
Dec  6 16:28:16 checkLdapResponse
Dec  6 16:41:12 checkLdapResponse


NOW Forum take a note !!!!


This is not problem of IKE phase-1 - cause no error in KMD file !!! - The IKE phase-1 just stuck .... no phase-2 comming in !!!


For some reason Juniper - try to validate Linux local certificate and fail with this


Some config parths:


root@oceannew# show security pki ca-profile open-ssl
ca-identity Root-CA;
revocation-check {
    crl {
        disable on-download-failure;





root@oceannew# show security ike proposal nikolay-ike-proposal
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;

root@oceannew# show security ike policy nikolay-ike-policy
mode main;
proposals nikolay-ike-proposal;
certificate {
    local-certificate oceannew;
    trusted-ca use-all;
    peer-certificate-type x509-signature;

root@oceannew# show security ike gateway nikolay-gate
ike-policy nikolay-ike-policy;
dynamic hostname;
external-interface ge-0/0/0.0;


************************************************************** - is my linux box



If here some one from dev team ?? Can you explain please why pki complain on certificate verifications?


"Cannot allocate data structure to verify certificate"


What is possible steps to debug it more then just

traceoptions flag ALL???



Ticket opened to Juniper support, almost 2 weeks ago - no result  ...



Thank for any help or any clue.



B.W. I'm with email conversations with Andreas Steffen  - the formal father of strongswan project - he sad:


Hello Nikolay,

the problem is that Juniper expects strongSwan to send
its certificate[s] in CERT_PKCS7_WRAPPED_X509 format which
is quite unusual:

> 003 "juniper" #1:
>  ignoring CERT_PKCS7_WRAPPED_X509 certificate request payload

strongSwan can parse such payloads (e.g. Windows XP sends them
if there is a multi-level certificate chain) but currently cannot
construct them since there was never a need. We have full PKCS#7
functionality in our scepclient tool but it hasn't be integrated
into the pluto daemon.




The PSK and any other methods work fine well 2 Linux boxes with same certifcates VPNing without any probelm by 5 minutes of configurations





SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

12.07.09   |  
‎12-07-2009 04:11 AM

I don't have an answer for you, all of my clients are windows boxes. 


I can say that the instructions I gave were for NO CRL CHECKING, so you may have to modify them if you are going to expose a CRL server (internally/externally) for certificate validation.


Anyone who can answer Nicolay's question is welcome to do so. Smiley Wink

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

02.04.10   |  
‎02-04-2010 08:11 AM

He gave the answer himself:


any link related to this bug on ?

SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

03.26.10   |  
‎03-26-2010 07:46 AM



I'm going thru the same pain in configuring a site-to-site IPsec VPN using rsa-signatures/certificates between SRX240-HM (10.0R2.10) and MX (9.5R4.3) with MultiServices DPC. CA and certificates have been produced with openssl 0.9.8b. I've come across the same 'CA certificate verification failed' message when querying SRX to verify them.


admin@srx240> request security pki ca-certificate verify ca-profile MyCa

CA certificate MyCa verification failed


The MX does not show the 'verify' command as on SRX. The following command shows the certificate cache:


admin@mx> show services ipsec-vpn certificates

Service set: SSET1, Total entries: 3
  Certificate cache entry: 12
    Flags: Non-root Not trusted << This is the self-signed certificate for my own CA
    Issued to: Test Certification Authority, Issued by: Test Certification Authority
    Alternate subject:
      Not before: 2010 Mar 23rd, 12:10:35 GMT
      Not after: 2013 Mar 22nd, 12:10:35 GMT

  Certificate cache entry: 11
    Flags: Non-root Not trusted
    Issued to:, Issued by: Test Certification Authority
      Not before: 2010 Mar 24th, 16:58:19 GMT
      Not after: 2011 Mar 24th, 16:58:19 GMT

  Certificate cache entry: 10
    Flags: Non-root Not trusted
    Issued to:, Issued by: Test Certification Authority
      Not before: 2010 Mar 24th, 16:48:42 GMT
      Not after: 2011 Mar 24th, 16:48:42 GMT


admin@mx> show security pki ca-certificate detail
Certificate identifier: MyCA
  Certificate version: 3
    Organization: Company, Organizational unit: Test Department,
    Country: GB, Common name: Test Certification Authority
    Organization: Company, Organizational unit: Test Department,
    Country: GB, Locality: London, Common name: Test Certification Authority
    Not before: 2010 Mar 26th, 11:07:21 GMT
    Not after: 2011 Mar 26th, 11:07:21 GMT
  Public key algorithm: rsaEncryption(1024 bits)
  Signature algorithm: sha1WithRSAEncryption
    bc:76:e2:c5:a2:28:c0:ec:0d:2e:2c:89:72:9a:d8:51:97:6c:b4:90 (sha1)
    f2:0c:92:06:80:03:aa:bb:ad:e8:67:64:9f:4c:ce:87 (md5)
  Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
    Status: Disabled
    Next trigger time: Timer not started


- x509v3 extension for the self-signed CA certificate are:



basicConstraints = CA:true

keyUsage = cRLSign, keyCertSign, keyEncipherment, digitalSignature << tried adding all these in the end

nsCertType = sslCA, emailCA, objsign


The Security Configuration Guide says (Release 9.6, page 440): "The CA server can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. [..] Note: The following CAs are supported: Entrust, Microsoft, and Verisign."


I exported an Entrust's CA certificate chain from my browser and loaded into the SRX as a ca-certificate. Verification process works in this case:


admin@srx240> ...-profile MyCa filename entrust.p7c        
  89:39:57:6e:17:8d:f7:05:78:0f:cc:5e:c8:4f:84:f6:25:3a:48:93 (sha1)
  9d:66:6a:cc:ff:d5:f5:43:b4:bf:8c:16:d1:2b:a8:99 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile MyCa loaded successfully

admin@srx240> ...-certificate verify ca-profile MyCa         
CA certificate MyCa verified successfully

admin@srx240> ...rtificate ca-profile MyCa detail           
Certificate identifier: MyCa
  Certificate version: 3
  Serial number: 389b113c
    Organization:, Organizational unit:,
    Common name: Secure Server Certification Authority
    Organization:, Organizational unit:,
    Common name: Secure Server Certification Authority
    Not before: 02- 4-2000 17:20
    Not after: 02- 4-2020 17:50
  Public key algorithm: rsaEncryption(1024 bits)
  Signature algorithm: md5WithRSAEncryption
  Distribution CRL:
    / incorp. by ref. (limits liab.)/OU=(c) 2000 Limited/ Secure Server Certification Authority/CN=CRL1
  Use for key: CRL signing, Certificate signing
    89:39:57:6e:17:8d:f7:05:78:0f:cc:5e:c8:4f:84:f6:25:3a:48:93 (sha1)
    9d:66:6a:cc:ff:d5:f5:43:b4:bf:8c:16:d1:2b:a8:99 (md5)
    Status: Disabled
    Next trigger time: Timer not started


I've checked the openssl config file and try to find out whether attributes may be different/missing. The basicConstraints and keyUsage should be enough (at least for the self-signed CA cert), but I have a feeling that the only CAs permitted are official ones (mentioned above).


IKE negotiation fails with an authentication error message (IKE code 24). The subjectAltName for the local certificates had the IP address (in case of the MX), and the full hostname (in case of the SRX), and these were used as local-id on their configuration. But I can't make sure this bit is right if the routers do not 'trust' my own ca-certificate.




SRX Services Gateway

Re: Root CA+ OpenSSL + SRX240

09.07.10   |  
‎09-07-2010 05:52 AM

I don't have an answer.  I'm currently trying to convert my srx-to-ns50 vpn from pre-shared-keys to certificates, and I've been working on it for almost 9 hours today....

If I figure it out, I'll post it.  And if someone else sends me a link (I have a query posted to the ScreenOS forum), I'll link to it here.



Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)