1. Configure the ca-profile for the CA (version check included for posterity)
root@SRX210_A# show security pki | display set
set security pki ca-profile Ubuntu01 ca-identity Ubuntu01
set security pki ca-profile Ubuntu01 revocation-check disable
set security pki ca-profile Ubuntu01 ca-identity Ubuntu01
set security pki ca-profile Ubuntu01 revocation-check disable
root@SRX210_A# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX210_A
Model: srx210h-poe
JUNOS Software Release [11.4R9.4]
root@vSRX_02# run show version
Hostname: vSRX_02
Model: junosv-firefly
JUNOS Software Release [12.1X44-D20.3]
node0:
--------------------------------------------------------------------------
Hostname: SRX210_A
Model: srx210h-poe
JUNOS Software Release [11.4R9.4]
root@vSRX_02# run show version
Hostname: vSRX_02
Model: junosv-firefly
JUNOS Software Release [12.1X44-D20.3]
2. Transfer (copy/paste) /etc/ssl/testCA/cacert.pem from your CA onto your SRX:
root@SRX210_A# run start shell
root@SRX210_A% cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIFtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDQTEQ
--------------------------SNIP FOR BREVITY------------------------------------
ymJ/BQZIyKLD9zvqgtjoMK/UoV6r/oVZWzX53B8uLcLBQqbWQivN7jb8j00hf5K9
HOnf7ieBfbYq/J20ik0TXAIsHkWGtKtVTA==
-----END CERTIFICATE-----
root@SRX210_A% cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIFtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDQTEQ
--------------------------SNIP FOR BREVITY------------------------------------
ymJ/BQZIyKLD9zvqgtjoMK/UoV6r/oVZWzX53B8uLcLBQqbWQivN7jb8j00hf5K9
HOnf7ieBfbYq/J20ik0TXAIsHkWGtKtVTA==
-----END CERTIFICATE-----
3. Import the CA's public key into the ca-profile created earlier:
root@SRX210_A> request security pki ca-certificate load ca-profile Ubuntu01 filename ~/cacert.pem
node0:
--------------------------------------------------------------------------
Fingerprint:
56:57:3d:71:d2:55:b0:68:e7:f6:ee:53:3c:6a:5f:21:01:3b:8f:d5 (sha1)
fe:4d:56:cd:6c:9c:34:5b:b8:cf:0d:bd:15:d1:87:15 (md5)
CA certificate for profile Ubuntu01 loaded successfully
4. Generate the SRX's private key:
root@SRX210_A> request security pki generate-key-pair type rsa size 2048 certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Generated key pair SRX210_key_01, key size 2048 bits
5. Generate the Certificate Signing Request (CSR) - no underscores in subject!:
root@SRX210_A>request security pki generate-certificate-request certificate-id SRX210_Key_01 email your.email@domain.com subject "DC=SRX210,CN=SRX210,OU=VPN,O=TestLab,L=Ottawa,ST=Ontario,C=CA"
node0:
--------------------------------------------------------------------------
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAweTEWMBQGCgmSJomT8ixkARkWBlNSWDIxMDEPMA0GA1UEAxMG
--------------------------SNIP FOR BREVITY------------------------------------
VwHvUcODc9OBKzYZzxUSDc8ICOkSNtW89WT7YYkBotdmCNbDZ74=
-----END CERTIFICATE REQUEST-----
Fingerprint:
48:1e:f5:a1:da:62:00:10:d9:66:62:3f:20:db:32:fe:5d:37:c8:41 (sha1)
01:5c:ca:b9:25:ad:1a:f0:c0:ae:16:fb:5a:47:dc:43 (md5)
6. Transfer (copy/paste) CSR to CA and verify:
root@Ubuntu01:/etc/ssl/testCa# openssl req -noout -text -in SRX210_key_01.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=SRX210, CN=SRX210, OU=VPN, O=TestLab, L=Ottawa, ST=Ontario, C=CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
--------------------------SNIP FOR BREVITY------------------------------------
cf:08:08:e9:12:36:d5:bc:f5:64:fb:61:89:01:a2:d7:66:08:
d6:c3:67:be
7. Sign the CSR with the CA (cert is placed in certs/ and index.txt will be updated):
root@Ubuntu01:/etc/ssl/testCa# openssl ca -verbose -in SRX210_key_01.csr -out certs/SRX_210.pem -cert cacert.pem -extfile x509ext.txt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/testCa/private/cakey.pem:
--------------------------SNIP FOR BREVITY------------------------------------
Certificate is to be certified until Dec 5 02:26:27 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/testCa/newcerts/01.pem
Data Base Updated
root@Ubuntu01:/etc/ssl/testCa# cat index.txt ; ls -lh certs/
V 141205022627Z 01 unknown /C=CA/ST=Ontario/O=TestLab/OU=VPN/CN=SRX210
total 8.0K
-rw-r--r-- 1 root root 5.2K Dec 4 21:26 SRX_210.pem
V 141205022627Z 01 unknown /C=CA/ST=Ontario/O=TestLab/OU=VPN/CN=SRX210
total 8.0K
-rw-r--r-- 1 root root 5.2K Dec 4 21:26 SRX_210.pem
root@SRX210_A> request security pki local-certificate load certificate-id SRX210_key_01 filename ~/SRX210.pem
node0:
--------------------------------------------------------------------------
Local certificate loaded successfully
root@SRX210_A> request security pki local-certificate verify certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Local certificate SRX210_key_01 verification success
You'll obviously have to rinse/repeat for each SRX you have in your lab. In Part 03 we'll explore actually using these certificates!
node0:
--------------------------------------------------------------------------
Local certificate loaded successfully
root@SRX210_A> request security pki local-certificate verify certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Local certificate SRX210_key_01 verification success
i canot understand about the script
ReplyDeleteThanks for this script.Its very useful for everyone.
ReplyDeletejuniper training