SRX Services Gateway
SRX Services Gateway

SSL Forward Proxy With Signed Certificate

‎02-22-2019 06:36 PM

Hello,

 

I was able to implement SSL FP on our SRX devices. The thing is I used locally generated certificate with add-ca-constraint  option. The thing is I need to use a certificate which is signed by our CA (Windows 2012 CA if that matters). If I reference a certificate that was signed by the CA on end host I am getting certificate issuer cannot be found error.

 

image.png

Any help is greatly appriciated 
Thanks

7 REPLIES 7
SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-22-2019 07:53 PM

Hello,

 

Since the browser is complaining about the issuer not found, I believe it is one of the two:

> Root CA used to sign the SRX certificate is not available in the browser

> Browser is not receiving the correct signed certificate. Are you able to view the certificate to see if it is indeed, signed by your CA incstead of a Public CA?

 

Regards,

 

Vikas

SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-22-2019 08:04 PM

Hi 

 

Just an additional point I forgot to ask. Is the SRX Cert signed by a Root or a Subordinate CA? Although I dont think it matters much in a Domain environmeent, where the trust goes upto the root.

 

https://knowledge.digicert.com/solution/SO3554.html

 

I would check this and then probably focus on the certificate I am receiving from the SRX.

 

Regards,

 

Vikas

SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-23-2019 06:04 AM

Hi Vikas,

 

Thanks for replying. If I https directly to the box (fxp0) then the browser is happy, since it sees the Root CA which it trusts as well. 

 

Attachments

SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-23-2019 06:55 AM

Hi,

 

The certificate for device management (fxp) and that when you get during SSL proxy are two different ones.

 

Were you able to verify the ceritifcate defined under the ssl proxy profile?

Has the certificate been given certificate signing rights?

 

Regards,

 

Vikas

SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-23-2019 07:17 AM

> Were you able to verify the certificate defined under the ssl proxy profile? 

    It is the same certificate.

> Has the certificate been given certificate signing rights?

    No and I need to find out how to do that with our root CA.

 

I was looking at the templates that our Root CA has and found an interesting one titled Subordinate Certification Authority. I used it to sign the request but the SRX refuses to load the cert.

 

root@SRX# request security pki local-certificate load certificate-id XXXX filename /var/tmp/certnew.cer            
error: error load certid<XXXXX>
SRX Services Gateway
Solution
Accepted by topic author armartirosyan
‎02-25-2019 09:19 AM

Re: SSL Forward Proxy With Signed Certificate

‎02-25-2019 03:40 AM

Hello,

 

The certificates need to be different. The one for the JWEB is a web-server certificate while the one for the SSL proxy should be a Subordinate CA Certificate signing certificate.

 

I believe the error is because you are trying to load the certificate from the CA to the same certificate-id.

 

My suggestion:

> Create a new certificate signing request (CSR)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10175&cat=J_SERIES&actp=LIST

> Get this signed by the CA as a Subordinate CA certificate. You can refer to a thread in the below forum link

https://forums.juniper.net/t5/SRX-Services-Gateway/Prepare-CA-for-SSL-Proxy-configuration/td-p/32106...

> Load the signed certificate on the firewall for the new cert-id

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10176&actp=METADATA

> Reference the new cert-id in the ssl-proxy profile

> If you still have issues can you share a screenshot of the "Key Usage" in field in the certificate

https://knowledge.digicert.com/solution/SO18140.html

 

I hope this helps. Regards,

 

Vikas

SRX Services Gateway

Re: SSL Forward Proxy With Signed Certificate

‎02-25-2019 09:20 AM

Thanks Vikas. It helped a lot!