Wednesday 4 December 2013

Juniper SRX - PKI - Certificate-based VPNs - Part 02 - SRX Configuration & Certificate Signings

Continuing on with Part 02 of this series (Part 01 found here), we'll configure the SRX (at least partially) to utilize PKI and generate CSR's and have them signed by our previously configured CA.

1. Configure the ca-profile for the CA (version check included for posterity)
root@SRX210_A# show security pki | display set
set security pki ca-profile Ubuntu01 ca-identity Ubuntu01
set security pki ca-profile Ubuntu01 revocation-check disable

root@SRX210_A# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX210_A
Model: srx210h-poe
JUNOS Software Release [11.4R9.4]

root@vSRX_02# run show version
Hostname: vSRX_02
Model: junosv-firefly
JUNOS Software Release [12.1X44-D20.3]


2. Transfer (copy/paste) /etc/ssl/testCA/cacert.pem from your CA onto your SRX:
root@SRX210_A#  run start shell
root@SRX210_A% cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIFtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDQTEQ
--------------------------SNIP FOR BREVITY------------------------------------
ymJ/BQZIyKLD9zvqgtjoMK/UoV6r/oVZWzX53B8uLcLBQqbWQivN7jb8j00hf5K9
HOnf7ieBfbYq/J20ik0TXAIsHkWGtKtVTA==
-----END CERTIFICATE-----

3. Import the CA's public key into the ca-profile created earlier:
root@SRX210_A> request security pki ca-certificate load ca-profile Ubuntu01 filename ~/cacert.pem
node0:
--------------------------------------------------------------------------
Fingerprint:
  56:57:3d:71:d2:55:b0:68:e7:f6:ee:53:3c:6a:5f:21:01:3b:8f:d5 (sha1)
  fe:4d:56:cd:6c:9c:34:5b:b8:cf:0d:bd:15:d1:87:15 (md5)
CA certificate for profile Ubuntu01 loaded successfully

4. Generate the SRX's private key:
root@SRX210_A> request security pki generate-key-pair type rsa size 2048 certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Generated key pair SRX210_key_01, key size 2048 bits

5. Generate the Certificate Signing Request (CSR) - no underscores in subject!:
root@SRX210_A>request security pki generate-certificate-request certificate-id SRX210_Key_01 email your.email@domain.com subject "DC=SRX210,CN=SRX210,OU=VPN,O=TestLab,L=Ottawa,ST=Ontario,C=CA"
node0:
--------------------------------------------------------------------------
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIC8jCCAdoCAQAweTEWMBQGCgmSJomT8ixkARkWBlNSWDIxMDEPMA0GA1UEAxMG
--------------------------SNIP FOR BREVITY------------------------------------
VwHvUcODc9OBKzYZzxUSDc8ICOkSNtW89WT7YYkBotdmCNbDZ74=
-----END CERTIFICATE REQUEST-----
Fingerprint:
48:1e:f5:a1:da:62:00:10:d9:66:62:3f:20:db:32:fe:5d:37:c8:41 (sha1)
01:5c:ca:b9:25:ad:1a:f0:c0:ae:16:fb:5a:47:dc:43 (md5)

6. Transfer (copy/paste) CSR to CA and verify:
root@Ubuntu01:/etc/ssl/testCa# openssl req -noout -text -in SRX210_key_01.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: DC=SRX210, CN=SRX210, OU=VPN, O=TestLab, L=Ottawa, ST=Ontario, C=CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
--------------------------SNIP FOR BREVITY------------------------------------
         cf:08:08:e9:12:36:d5:bc:f5:64:fb:61:89:01:a2:d7:66:08:
         d6:c3:67:be
7. Sign the CSR with the CA (cert is placed in certs/ and index.txt will be updated):
root@Ubuntu01:/etc/ssl/testCa# openssl ca -verbose -in SRX210_key_01.csr -out certs/SRX_210.pem -cert cacert.pem -extfile x509ext.txt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/testCa/private/cakey.pem:
     --------------------------SNIP FOR BREVITY------------------------------------
Certificate is to be certified until Dec  5 02:26:27 2014 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/testCa/newcerts/01.pem
Data Base Updated


root@Ubuntu01:/etc/ssl/testCa# cat index.txt ; ls -lh certs/
V       141205022627Z           01      unknown /C=CA/ST=Ontario/O=TestLab/OU=VPN/CN=SRX210
total 8.0K
-rw-r--r-- 1 root root 5.2K Dec  4 21:26 SRX_210.pem
8. Finally, transfer the signed SRX Certificate back to the SRX and import it:
root@SRX210_A> request security pki local-certificate load certificate-id SRX210_key_01 filename ~/SRX210.pem
node0:
--------------------------------------------------------------------------

Local certificate loaded successfully

root@SRX210_A> request security pki local-certificate verify certificate-id SRX210_key_01
node0:
--------------------------------------------------------------------------
Local certificate SRX210_key_01 verification success

You'll obviously have to rinse/repeat for each SRX you have in your lab. In Part 03 we'll explore actually using these certificates!

Juniper SRX - PKI - Certificate-based VPNs - Part 01 - Create your own Certificate Authority with Linux

Hi Everyone,

I was having issues getting a fully functional lab setup with PKI to use for testing Cert-based VPN's. I've pieced the following (functional!) steps together from multiple blogs and official OpenSSL documentation. Hopefully you'll find it useful during your studies.

1. Prepare the Server - Make sure to modify the email address field
mkdir -p testCa/{certs,private,newcerts} ; cd testCa/ ; touch index.txt ; echo "01" > serial
echo "subjectAltName=email:your_email_address_here" > x509ext.txt
2. Modify configuration file (/usr/lib/ssl/openssl.cnf) to use our testCA directory, and reduce the "strictness" when signing certificates (or use the one I've hosted here).
[ CA_default ]
dir             = /etc/ssl/testCa       # Where everything is kept

# For the CA policy
[ policy_match ]
stateOrProvinceName = supplied
organizationName = supplied

3. Generate the CA's Private Key (Password Required)
openssl genrsa -des3 -out private/cakey.pem 4096

root@Ubuntu01:/etc/ssl/testCa# openssl genrsa -des3 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
..........................++
............................................................++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:

4. Create the CA's Root Certificate (lasts for 5 years) - Fill in your correct details as required - Do not use underscores as they are not ANS.1 compliant
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0

root@Ubuntu01:/etc/ssl/testCa# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Ottawa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []: