Re: SRX - Can system-generated-certificate be used as part of an IPSEC tunnel config?
[ Edited ]
You cant used the system-generated certificate for VPN authentication. I even tried creating a local self-signed certificate to the same result.
[Aug 30 07:55:26]IKED-PKID-IPC Failed to delete cert chain patricia node system-generated [Aug 30 07:55:26]iked_pm_ike_get_certificates_callback: CA certificate find failed [Aug 30 07:55:26]ikev2_fb_get_cas_kid_cb: CA lookup failed, error 'Crypto operation failed'
(above output is from a IKE traceoptions)
When using certificates in a VPN you need to certificates per each SRX:
A local certificate (signed by a CA)
A CA certificate (provided by the CA that signed your local certificate and used to validate that local cert)
The local certificate is to be loaded in the local SRX and the CA certificate is to be loaded in the remote SRX.
The problem when using the system-generated certificate or a local self-signed certificate in your VPN is that these certs will count as the local certificate but then we dont have a CA certificate to be loaded in the remote SRX because no real CA signed those certs nor the local SRX provides a CA certificate when it signed those local certs.
You may want to create a CA for signing your local certs as showed in the following link with the use of a linux machine: