PA5050: 6.0.6
SRX210: 12.1X44-D40
following https://live.paloaltonetworks.com/docs/DOC-6215, i was able to create root CA on the Palo.
Also created local certificate signed by Palo, signed by the same root CA.
I exported both the root CA and local cert generated by PA, as PEM format, with password.
I used scp to upload these 2 files to SRX210.
1. I created a ca-profile on the SRX:
configure
set security pki ca-profile SRX_PA_VPN ca-identity SRX_PA_VPN
set security pki ca-profile SRX_PA_VPN revocation-check disable
commit and-quit
2. load root certificate:
SRX210> request security pki ca-certificate load ca-profile SRX_PA_VPN filename /cf/var/tmp/cert_Root_CA_VPN.pem
Fingerprint:
ad:af:b2:54:43:49:c4:b9:fd:fb:e5:6c:42:ee:92:94:b4:c5:2a:ef (sha1)
dd:f9:4e:8f:c2:7e:0c:45:6c:31:7c:51:8b:ff:67:d7 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile SRX_PA_VPN loaded successfully
3. "show security pki ca-certificate detail" to verify
4. load local certficate:
SRX210> request security pki local-certificate load certificate-id srx001 filename /cf/var/tmp/cert_srx001.pem passphrase srxpaloalto key /cf/var/tmp/cert_srx001.pem
Local certificate loaded successfully
5. "show security pki local-certificate detail" to verify.
I'm able to use the local cert for https:
set system services web-management https pki-local-certificate srx001
Hope this helps.
Sam