Wednesday, 4 December 2013

Juniper SRX - PKI - Certificate-based VPNs - Part 02 - SRX Configuration & Certificate Signings

Continuing on with Part 02 of this series (Part 01 found here), we'll configure the SRX (at least partially) to utilize PKI and generate CSR's and have them signed by our previously configured CA.

1. Configure the ca-profile for the CA (version check included for posterity)
root@SRX210_A# show security pki | display set
set security pki ca-profile Ubuntu01 ca-identity Ubuntu01
set security pki ca-profile Ubuntu01 revocation-check disable

root@SRX210_A# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX210_A
Model: srx210h-poe
JUNOS Software Release [11.4R9.4]

root@vSRX_02# run show version
Hostname: vSRX_02
Model: junosv-firefly
JUNOS Software Release [12.1X44-D20.3]


2. Transfer (copy/paste) /etc/ssl/testCA/cacert.pem from your CA onto your SRX:
root@SRX210_A#  run start shell
root@SRX210_A% cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIFtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDQTEQ
--------------------------SNIP FOR BREVITY------------------------------------
ymJ/BQZIyKLD9zvqgtjoMK/UoV6r/oVZWzX53B8uLcLBQqbWQivN7jb8j00hf5K9
HOnf7ieBfbYq/J20ik0TXAIsHkWGtKtVTA==
-----END CERTIFICATE-----

3. Import the CA's public key into the ca-profile created earlier:
root@SRX210_A> request security pki ca-certificate load ca-profile Ubuntu01 filename ~/cacert.pem
node0:
--------------------------------------------------------------------------
Fingerprint:
  56:57:3d:71:d2:55:b0:68:e7:f6:ee:53:3c:6a:5f:21:01:3b:8f:d5 (sha1)
  fe:4d:56:cd:6c:9c:34:5b:b8:cf:0d:bd:15:d1:87:15 (md5)
CA certificate for profile Ubuntu01 loaded successfully

4. Generate the SRX's private key:
root@SRX210_A> request security pki generate-key-pair type rsa size 2048 certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Generated key pair SRX210_key_01, key size 2048 bits

5. Generate the Certificate Signing Request (CSR) - no underscores in subject!:
root@SRX210_A>request security pki generate-certificate-request certificate-id SRX210_Key_01 email your.email@domain.com subject "DC=SRX210,CN=SRX210,OU=VPN,O=TestLab,L=Ottawa,ST=Ontario,C=CA"
node0:
--------------------------------------------------------------------------
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAweTEWMBQGCgmSJomT8ixkARkWBlNSWDIxMDEPMA0GA1UEAxMG
--------------------------SNIP FOR BREVITY------------------------------------
VwHvUcODc9OBKzYZzxUSDc8ICOkSNtW89WT7YYkBotdmCNbDZ74=
-----END CERTIFICATE REQUEST-----
Fingerprint:
48:1e:f5:a1:da:62:00:10:d9:66:62:3f:20:db:32:fe:5d:37:c8:41 (sha1)
01:5c:ca:b9:25:ad:1a:f0:c0:ae:16:fb:5a:47:dc:43 (md5)

6. Transfer (copy/paste) CSR to CA and verify:
root@Ubuntu01:/etc/ssl/testCa# openssl req -noout -text -in SRX210_key_01.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=SRX210, CN=SRX210, OU=VPN, O=TestLab, L=Ottawa, ST=Ontario, C=CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--------------------------SNIP FOR BREVITY------------------------------------
         cf:08:08:e9:12:36:d5:bc:f5:64:fb:61:89:01:a2:d7:66:08:
         d6:c3:67:be
7. Sign the CSR with the CA (cert is placed in certs/ and index.txt will be updated):
root@Ubuntu01:/etc/ssl/testCa# openssl ca -verbose -in SRX210_key_01.csr -out certs/SRX_210.pem -cert cacert.pem -extfile x509ext.txt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/testCa/private/cakey.pem:
     --------------------------SNIP FOR BREVITY------------------------------------
Certificate is to be certified until Dec  5 02:26:27 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/testCa/newcerts/01.pem
Data Base Updated


root@Ubuntu01:/etc/ssl/testCa# cat index.txt ; ls -lh certs/
V       141205022627Z           01      unknown /C=CA/ST=Ontario/O=TestLab/OU=VPN/CN=SRX210
total 8.0K
-rw-r--r-- 1 root root 5.2K Dec  4 21:26 SRX_210.pem
8. Finally, transfer the signed SRX Certificate back to the SRX and import it:
root@SRX210_A> request security pki local-certificate load certificate-id SRX210_key_01 filename ~/SRX210.pem
node0:
--------------------------------------------------------------------------

Local certificate loaded successfully

root@SRX210_A> request security pki local-certificate verify certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Local certificate SRX210_key_01 verification success

You'll obviously have to rinse/repeat for each SRX you have in your lab. In Part 03 we'll explore actually using these certificates!

2 comments: