SRX Services Gateway
Highlighted
SRX Services Gateway

SRX site to site VPN with Palo using self signed certificate

[ Edited ]
‎01-13-2015 09:17 AM

Hi Guys,

 

I am planning to setup a site to site VPN with Palo based on certificate.

 

I am planning to use Palo as a CA to generate certificate then load this certificate into SRX, is it possible to do it this way?

 

Please note that the CSR is not created within the SRX, so it will be importing the certificate with private key.

 

Thanks.

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-13-2015 09:49 AM

As Palo is able to generate certificate and then export it with private key in pem encoded format, so I guess the question really is, 

 

Can SRX load an external generated certificate as well as private key?

 

When I am trying to load it, it gave error message like this,

 

root@SRX01> request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key passphrase password certificate-id test1

node1:
--------------------------------------------------------------------------
error: error load certid<test1>

Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-13-2015 01:46 PM

Actually I am having the same problem even trying to just load an external certificate.

 

root@SRX01> request security pki local-certificate load filename /cf/var/tmp/cert3.crt certificate-id cert3
error: error load certid<cert3>

 

Can anyone help?

 

Thanks.....

Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-14-2015 06:40 AM

Hello.

 

How was the local certificate generated?  from a PA firewall?  Or did you generate a CSR from the SRX itself?

 

 

 

This is the process I've had success for loading local cert for https:

 

 

1. Generate a key pair.

 

request security pki generate-key-pair certificate-id SRX001 size 2048 type rsa

 

 

2. Generate PKCS#10 request

 

request security pki generate-certificate-request certificate-id SRX001 subject "CN=SRX001,OU=IT Department,O=My Company,L=Oahu,S=HI,C=US" domain-name SRX001.mycompany.com

 

Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE REQUEST-----

 

3. have the CSR signed by CA.

 

4. Upload signed cert to the firewall, then issue the following command (if HA, can only be performed on active node):

 

request security pki local-certificate load certificate-id SRX001 filename /var/tmp/SRX001-local.cer


 5. verify certificate loaded on the device:

 

show security pki local-certificate

 

 

 

 

Regards,

Sam

Highlighted
SRX Services Gateway
Solution
Accepted by topic author dlwfr
‎08-26-2015 01:27 AM

Re: SRX site to site VPN with Palo

‎01-14-2015 07:20 AM

PA5050: 6.0.6

SRX210: 12.1X44-D40

 

following https://live.paloaltonetworks.com/docs/DOC-6215, i was able to create root CA on the Palo.

Also created local certificate signed by Palo, signed by the same root CA.

 

I exported both the root CA and local cert generated by PA, as PEM format, with password.

 

I used scp to upload these 2 files to SRX210.

 

1. I created a ca-profile on the SRX:

 

configure

set security pki ca-profile SRX_PA_VPN ca-identity SRX_PA_VPN

set security pki ca-profile SRX_PA_VPN revocation-check disable

commit and-quit

 

2. load root certificate:

 

SRX210> request security pki ca-certificate load ca-profile SRX_PA_VPN filename /cf/var/tmp/cert_Root_CA_VPN.pem
Fingerprint:
  ad:af:b2:54:43:49:c4:b9:fd:fb:e5:6c:42:ee:92:94:b4:c5:2a:ef (sha1)
  dd:f9:4e:8f:c2:7e:0c:45:6c:31:7c:51:8b:ff:67:d7 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile SRX_PA_VPN loaded successfully

 

3. "show security pki ca-certificate detail" to verify

 

4. load local certficate:

 

SRX210> request security pki local-certificate load certificate-id srx001 filename /cf/var/tmp/cert_srx001.pem passphrase srxpaloalto key /cf/var/tmp/cert_srx001.pem
Local certificate loaded successfully

 

5. "show security pki local-certificate detail" to verify.

 

 

I'm able to use the local cert for https:

set system services web-management https pki-local-certificate srx001

 

 

 

Hope this helps.

 

Sam

Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-14-2015 08:06 AM

Hi Sam,

 

This is very helpful indeed, thank you very much for your time, now I am able to import both CA and external certificate, however when I try to verify the cert generated by Palo, it failed.

 

root@srx# set security pki ca-profile testca ca-identity testca
[edit]
root@srx# set security pki ca-profile testca revocation-check disable
[edit]
root@srx# commit and-quit 
commit complete
root@srx>request security pki local-certificate load filename /var/tmp/test.crt key /var/tmp/test.key certificate-id test passphrase test
Local certificate loaded successfully
root@srx> request security pki ca-certificate load filename /var/tmp/testca.crt ca-profile testca 
Fingerprint:
7a:7a:89:fa:40:f2:7e:73:fe:c5:ca:5e:f6:5b:a2:2a:cf:c8:7e:26 (sha1)
cd:56:d4:ed:5f:3e:43:ef:ce:ef:d0:a2:75:da:c8:76 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile test3 loaded successfully

 However when try to verify the cert, it failed

 

root@srx> request security pki local-certificate verify certificate-id test 
Local certificate test verification failed

 Do you have any idea?

 

Thanks for your help!

Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-14-2015 09:28 AM

hmm.

 

It's successful for me...

 

SRX001> request security pki local-certificate verify certificate-id srx001
Local certificate srx001 verification success

 

 

 

Can you make sure the date/time on the FW is correct?  also do a "show security pki local-certificate" and check for the certificate's validity?

 

Regards,

Sam

Highlighted
SRX Services Gateway

Re: SRX site to site VPN with Palo

‎01-15-2015 03:23 PM

Thank you for your help Sam, I have done it again and now it works.

Feedback