SRX Services Gateway
Highlighted
SRX Services Gateway

SSL Forward Proxy Certificate

‎04-01-2019 11:44 PM

Hi

 

I need to inspect HTTPS traffic over SKYATP, so I configured a forward proxy and attached it to the security policy.

I loaded a certifcate signed by a public CA to SRX and used it in the forward proxy, but when clients tried to browse HTTPS they got certificate error.

 

My questions;

 

- Do I have to load the signed SRX certifcate to clients browsers, as its already signed by a public CA which is already in the browser CA's list?

-When generating the certificate request in SRX, is it required to fill correct values for the subject, domain, IP...?

"as the firewall is not joined to a domain and dont have public IP"

- Is there a way to test if the imported SRX certificate is valid "from the SRX itself" and communicate with the CA proberly?

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎04-02-2019 06:08 AM

Hi,

 

Whats the error shown on the clients' side?

Can you share the SSL profile configuration?

Can you provide the following commands in order to confirm that the trust chain is complete:

 

 

show security pki local-certificate detail certificate-id <certificate-id-name>
request security pki local-certificate verify certificate-id <certificate-id-name>
show security pki ca-certificate detail <ca-profile ca-profile-name>

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎04-02-2019 08:19 AM

Hi

 

Attached the SSL configuration and the error shown in client side "I cant share the certificate outputs"

Could you please answer my questions raised in the previous update.

 

Thanks

Attachments

Highlighted
SRX Services Gateway
Solution
Accepted by topic author mahmoud.yasin@ad-tech.com.jo
‎04-03-2019 07:04 AM

Re: SSL Forward Proxy Certificate

[ Edited ]
‎04-02-2019 10:14 AM

Hi,

 

The error you are receiving is because the SRX was not able to authenticate the Facebook server and because of this, it sends a Dummy cert to the PC in order to inform about this error. See "Server Authentication" section:

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html

 

When the SRX contacts Facebook and the server provides its local cert, the SRX will try to authenticate it with the CA certs stated under:

 

set services ssl proxy profile ssl-inspect-profile trusted-ca [Trusted_CA-Certs]

 

I just connected to Facebook and received the cert attached in file "Facebook cert". We can see that this cert was issued/signed by "Digicert SHA2 High Assurance Server CA" which in an Intermediate CA. In attached file "Facebook cert-3" we can see that "Digicert" signed/issued that Intermediate CA cert hence "Digicert" is the Root CA. We need to make sure that both, the Intermediate CA cert and Root CA cert are loaded in the SRX if we want it to trust the local cert provided by Facebook.

 

I believe you need to change the value "sky-atp-ca" to "all" so that the SRX will check all installed CA certs when authenticating Facebook or any other external website. Note that "all" option means that the SRX will check all installed CA certs when authenticating an external cert. Juniper packages come with pre-installed CA certs that can be loaded with the following command:

 

request security pki ca-certificate ca-profile-group load ca-group-name ca-default filename default

 

Check "Trusted CA List" section in the following doc:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html

 

Try installing the Trusted CA list provided by Juniper and using option "all" under [edit services ssl proxy profile ssl-inspect-profile trusted-ca]. If the issue persists after that, then we will confirm if the SRX does have the Root CA cert (Digicert) and the Intermediate CA cert (Digicert SHA2 High Assurance Server CA) installed correctly.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎04-03-2019 07:08 AM

Hi

 

I imported the CA cert list to SRX, but I got a bowser certificate error that "this certificate cant be used for this purpose", which means it cant be used as a trusted root certificate.

 

So I used a self signed certificate and imported it to the client trusted root certificate folder, then I was able to browse https over microsoft explorer only, Although I imported the cerificate to the other explorers directories, any idea here?

Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎04-03-2019 05:17 PM

Hi,

 

So, is the first reported issue no longer happening? Please note that my previous suggestions were to be applied on the SRX only.

 

Assuming that the first issue was solved, my understanding is that in the PCs we need to install a cert that was previously self-signed by the SRX. See step 1 in the following doc and let me know if you followed a similar process:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎04-04-2019 01:01 AM

Hi

 

Yes I used the self-signed certificate, loaded it to clients, and loaded the list of CA certs, and then were able to browse the https traffic.

 

Thanks for support

Highlighted
SRX Services Gateway

Re: SSL Forward Proxy Certificate

‎06-02-2019 08:48 PM

Welcome the the wonderful world of x509.  I ran into the same issue when trying to use a cert signed by a internal root CA.  You need to check the following fields on the cert.


X509v3 Basic Constraints: critical
CA:TRUE, pathlen:(greater than 0 should at least be 1)


X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign

Feedback