Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


Author Message
mandrei99
Post  Post subject: error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall  |  Posted: Fri Dec 12, 2014 10:21 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall

Code:
request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key certificate-id test               
error: error load certid<test>


99% of the cases when this error appears in Juniper SRX firewall is when the user attempts to load a public/signed certificate generated with a different private key than the one that SRX is aware of.

In many of these cases, users generate private key on the SRX, then they copy another key file generated on an external system overwriting existing one and they start "playing" in production. This is wrong approach because when a key pair is generated by Junos on the SRX, it is cached in the PKI daemon. On top of this, the key pair generated by the firewall has an extra header when it is written to disk containing a hash.

If this is overwritten, old key will still be in memory and the user tries to load a signed/local certificate generated with the key that was copied to /var/db/certs/common/key-pair/ directory and the above error will be displayed. If the srx is restarted, another error will appear.

Use the guide [url]http://forum.ivorde.ro/pki-how-to-import-openssl-private-key-and-public-certificate-in-juniper-srx-t19301.html[/url to do this properly by importing an externally generated private key into the SRX instead of "scp" method.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1011

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

25655

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6563

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1231

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

16254

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

mandrei99

0

1454

Fri Jan 09, 2015 11:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1925

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

1972

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO