OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices
In this lab, I will create a OpenSSL certificate authority signed certificates based Ipsec VPN between Two Juniper SRX devices without certificate enrollment.
Based on config and information from official Juniper repositories:
J Series / SRX Series IPSec VPN with PKI Certificates Primer
http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_IPSecVPN_with_PKI_Certificates_Primer_v13.pdfHow to generate a PKCS10 certificate request on a J Series or SRX Series device
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10175&cat=DIGITAL_CERTIFICATES&actp=LISTHow to load a PKI x.509 certificate on a J Series or SRX Series device
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10176&cat=AUTHENTICATION&actp=LIST&smlogin=trueDevices are named
daniel and
cameron:
Code:
root@daniel> show version
Hostname: daniel
Model: srx100h
JUNOS Software Release [12.1X44-D10.4]
root@cameron> show version
Hostname: cameron
Model: srx100h
JUNOS Software Release [12.1X44-D10.4]
Before I begin, i will list below the main steps that need to be taken:
- create an OpenSSL self-signed Certificate Authority in a Unix server (FreeBSD in my case) and create the CA profile in Junos config.
- import the newly created CA public certificate into the SRX firewalls
- generate private key and certificate signing requests on the firewall
- sign the certificate requests (csr) with the CA's public certificate and private key
- import the signed pem certificates into Junos
- set the Junos configuration that will use above generated certificate pairs (private keys and signed PEM certificates and the CA to
authenticate peer's certificate)
1. Creating the OpenSSL Certificate Authority
Modify /usr/local/openssl/openssl.cnf to have shell current working directory used by openssl
Code:
dir = ./
Create a new CA - testCA directories
Code:
[root@homeserv /etc/ssl]# mkdir -p testCa/{certs,private,newcerts}
[root@homeserv /etc/ssl]# cd testCa/
Generate the new CA (password is mandatory):
Code:
[root@homeserv /etc/ssl/testCa]# openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out cacert.pem -config
/usr/local/openssl/openssl.cnf
Generating a 1024 bit RSA private key
.++++++
.....++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [RO]:
State or Province Name (full name) [Bucharest]:
Locality Name (eg, city) [Bucharest]:
Organization Name (eg, company) [Ivorde]:
Organizational Unit Name (eg, section) [IvordeCA]:
Common Name (eg, YOUR name) []:Andrei
andrei@ivorde.ro []:
Enter a starting serial number and certificate index file:
Code:
echo 1000 >serial; touch index.txt
Done generating our self signed openssl certificate authority.
2. Import the certificate authority public certificate into the SRX firewalls.
First, create the CA profile in the configuration on both firewalls:
Code:
# show security pki | display set
set security pki ca-profile CA_FR ca-identity asdf
set security pki ca-profile CA_FR revocation-check disable
Next, on each firewall, create a file named
cacert.pem and paste the contents of the file from the CA Unix server
Code:
[root@homeserv /etc/ssl/testCa]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJALo633jtqlL9MA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEP
MA0GA1UEChMGSXZvcmRlMREwDwYDVQQLEwhJdm9yZGVDQTEPMA0GA1UEAxMGQW5k
cmVpMB4XDTEzMDIyMDExNDkyM1oXDTIzMDIxODExNDkyM1owajELMAkGA1UEBhMC
Uk8xEjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYD
VQQKEwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1oEqzaFMDCxAoTLveQi7zZDlzd
X3rgxn9NaN/PVOGQwfc+E7GoFD1hvohRlRlWHmKFXvugeHQtOkYrtOgZYQozlre+
1utzCaor7krlvry7pwcu/SCFHDac4Z0+ch8Wd69skuDJEVXXFHZohZg1viqY1VHa
0zct3r7ytnmf71tPAgMBAAGjgc8wgcwwHQYDVR0OBBYEFIzyewi8Dxym9cXK+98W
ALkVJonAMIGcBgNVHSMEgZQwgZGAFIzyewi8Dxym9cXK+98WALkVJonAoW6kbDBq
MQswCQYDVQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MRIwEAYDVQQHEwlCdWNo
YXJlc3QxDzANBgNVBAoTBkl2b3JkZTERMA8GA1UECxMISXZvcmRlQ0ExDzANBgNV
BAMTBkFuZHJlaYIJALo633jtqlL9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMoqPAL7gLw993j8KTkCpgbivwTY27pq5TIuvKQbc21xABAch1ZTyRc1s
IKAMDsWe5O5vt/OyKAWHa/S3ILjgAL1AU6F10YUMmZc4Y6qKWCO6mkEJxdgD6Tz1
cHBJXc1XggrqJBr54l/k+ws39MVDMbo7YR7R+V30E1o/HgR2KdE=
-----END CERTIFICATE-----
Code:
root@daniel% vi cacert.pem
-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIJALo633jtqlL9MA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAlJPMRIwEAYDVQQIEwlCdWNoYXJlc3QxEjAQBgNVBAcTCUJ1Y2hhcmVzdDEP
MA0GA1UEChMGSXZvcmRlMREwDwYDVQQLEwhJdm9yZGVDQTEPMA0GA1UEAxMGQW5k
cmVpMB4XDTEzMDIyMDExNDkyM1oXDTIzMDIxODExNDkyM1owajELMAkGA1UEBhMC
Uk8xEjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYD
VQQKEwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO1oEqzaFMDCxAoTLveQi7zZDlzd
X3rgxn9NaN/PVOGQwfc+E7GoFD1hvohRlRlWHmKFXvugeHQtOkYrtOgZYQozlre+
1utzCaor7krlvry7pwcu/SCFHDac4Z0+ch8Wd69skuDJEVXXFHZohZg1viqY1VHa
0zct3r7ytnmf71tPAgMBAAGjgc8wgcwwHQYDVR0OBBYEFIzyewi8Dxym9cXK+98W
ALkVJonAMIGcBgNVHSMEgZQwgZGAFIzyewi8Dxym9cXK+98WALkVJonAoW6kbDBq
MQswCQYDVQQGEwJSTzESMBAGA1UECBMJQnVjaGFyZXN0MRIwEAYDVQQHEwlCdWNo
YXJlc3QxDzANBgNVBAoTBkl2b3JkZTERMA8GA1UECxMISXZvcmRlQ0ExDzANBgNV
BAMTBkFuZHJlaYIJALo633jtqlL9MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAMoqPAL7gLw993j8KTkCpgbivwTY27pq5TIuvKQbc21xABAch1ZTyRc1s
IKAMDsWe5O5vt/OyKAWHa/S3ILjgAL1AU6F10YUMmZc4Y6qKWCO6mkEJxdgD6Tz1
cHBJXc1XggrqJBr54l/k+ws39MVDMbo7YR7R+V30E1o/HgR2KdE=
-----END CERTIFICATE-----
~
~
Both firewalls need now to import this public CA certificate to the CA profile created earlier:
Code:
root@daniel> request security pki ca-certificate load ca-profile CA_FR filename /root/cacert.pem
Fingerprint:
1b:d9:1d:2f:ca:02:40:d2:98:d9:d1:d6:0b:c6:5e:eb:c9:a6:b6:4e (sha1)
2d:4b:c1:3a:64:9e:ce:4a:09:a9:4e:2e:8a:80:97:00 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile CA_FR loaded successfully
3. Generating device private key and Certificate Signing Requests on the SRX firewalls
Generating the private keys:
Code:
root@daniel> request security pki generate-key-pair type rsa size 1024 certificate-id key1
Generated key pair key1, key size 1024 bits
root@cameron> request security pki generate-key-pair type rsa size 1024 certificate-id key1
Generated key pair key1, key size 1024 bits
Generating the CSRs:
Code:
root@daniel> request security pki generate-certificate-request certificate-id key1 subject "DC=daniel.ivorde.ro,CN=daniel.ivorde.ro,OU=Ivorde-VPN,O=Ivorde,L=Test-DC,ST=Bucharest,C=RO" email andrei@vps.ivorde.ro
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIICCzCCAXQCAQAwgZYxIDAeBgoJkiaJk/IsZAEZFhBkYW5pZWwuaXZvcmRlLnJv
MRkwFwYDVQQDExBkYW5pZWwuaXZvcmRlLnJvMRMwEQYDVQQLEwpJdm9yZGUtVlBO
MQ8wDQYDVQQKEwZJdm9yZGUxEDAOBgNVBAcTB1Rlc3QtREMxEjAQBgNVBAgTCUJ1
Y2hhcmVzdDELMAkGA1UEBhMCUk8wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O8GpKztUP0S1nQj5h
1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99jqDqIEw4rNa4aqq5
DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMBAAGgNDAyBgkqhkiG
9w0BCQ4xJTAjMCEGA1UdEQQaMBiBFiJhbmRyZWlAdnBzLml2b3JkZS5ybyIwDQYJ
KoZIhvcNAQEFBQADgYEAW80ZV8Tgob5CNEDYfmU+tte6W/fELZkI3uZ+iiJgoDd5
ePWMz3nneanxlC9sF1BWl7ArTSVBzpDeRLwXTPmp6fdI6rVCRwiY2RKnoy4SUVjP
FDqvrsV6WNrhWmD5SmAuwcgZ8EZZPU4B+y1Vm7N0Hq2doYKnGZvyZrojbZpRjMI=
-----END CERTIFICATE REQUEST-----
Fingerprint:
97:74:ac:02:6d:37:bd:a3:0d:3c:3f:45:b7:98:e6:48:df:a6:41:24 (sha1)
b8:bf:d1:53:20:db:92:94:c0:97:88:14:01:ca:8a:e6 (md5)
root@cameron> request security pki generate-certificate-request certificate-id key1 subject "DC=cameron.ivorde.ro,CN=cameron.ivorde.ro,OU=Ivorde-VPN,O=Ivorde,L=Test-DC,ST=Bucharest,C=RO" email andrei@vps.ivorde.ro
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIICDTCCAXYCAQAwgZgxITAfBgoJkiaJk/IsZAEZFhFjYW1lcm9uLml2b3JkZS5y
bzEaMBgGA1UEAxMRY2FtZXJvbi5pdm9yZGUucm8xEzARBgNVBAsTCkl2b3JkZS1W
UE4xDzANBgNVBAoTBkl2b3JkZTEQMA4GA1UEBxMHVGVzdC1EQzESMBAGA1UECBMJ
QnVjaGFyZXN0MQswCQYDVQQGEwJSTzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAyfdEfXSzTLei808nuWtUX3xpHLOqM1TeNCLeX8i68wOmflvU+qnzzQsARrcT
8H/0R8dH1djl2QmpKnmmiOPGjOi/g0tfr4QPKf0r4Ejg5be+tnd3LgkwnFnYc0of
+UJO5320wwVWdjRP7S27Kn2LArrKvn46Dt02597IoKHZGdkCAwEAAaA0MDIGCSqG
SIb3DQEJDjElMCMwIQYDVR0RBBowGIEWImFuZHJlaUB2cHMuaXZvcmRlLnJvIjAN
BgkqhkiG9w0BAQUFAAOBgQARSuje+Jmgs3d+Yz2TXan/ThyDEASncjZrocnp7A7k
Uhei51WIZPTqfIq9Shm6qoRik49Ba2VqsX7zBeg824gKRM3sjpjvSIVzwdpo0kCm
zLRW9tvYQrqr2P6R22oYe8QzBT/GzBunzuSlcriqaj1DauRbDdBSBP0+/9ZH1upr
6Q==
-----END CERTIFICATE REQUEST-----
Fingerprint:
fa:64:f7:af:e8:77:a0:1a:51:4d:82:74:8e:be:c1:7e:8e:a2:0a:eb (sha1)
99:f9:02:98:10:02:f9:cf:a0:c9:48:70:c1:db:45:46 (md5)
4. Now that we have the signing requests created, we will paste the contents (between ----BEGIN and ----END lines including) on the Unix box
holding the certificate authority and sign them using the x509 extensions subjectAlternativeName (subjectAltName):
Let's check the CSRs first
Code:
[root@homeserv /etc/ssl/testCa]# ls -la *csr
-rw-r--r-- 1 root wheel 790 Feb 20 11:59 cameron.csr
-rw-r--r-- 1 root wheel 785 Feb 20 11:59 daniel.csr
[root@homeserv /etc/ssl/testCa]# openssl req -noout -text -in daniel.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=daniel.ivorde.ro, CN=daniel.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
e1:31:2b:55:c6:05:ba:87:a1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:"andrei@vps.ivorde.ro"
Signature Algorithm: sha1WithRSAEncryption
5b:cd:19:57:c4:e0:a1:be:42:34:40:d8:7e:65:3e:b6:d7:ba:
5b:f7:c4:2d:99:08:de:e6:7e:8a:22:60:a0:37:79:78:f5:8c:
cf:79:e7:79:a9:f1:94:2f:6c:17:50:56:97:b0:2b:4d:25:41:
ce:90:de:44:bc:17:4c:f9:a9:e9:f7:48:ea:b5:42:47:08:98:
d9:12:a7:a3:2e:12:51:58:cf:14:3a:af:ae:c5:7a:58:da:e1:
5a:60:f9:4a:60:2e:c1:c8:19:f0:46:59:3d:4e:01:fb:2d:55:
9b:b3:74:1e:ad:9d:a1:82:a7:19:9b:f2:66:ba:23:6d:9a:51:
8c:c2
In order for OpenSSL to enable subjectAltName, it needs an extension file that looks like below:
Code:
[root@homeserv /etc/ssl/testCa]# cat x509ext.txt
subjectAltName=email:andrei@vpn.ivorde.ro
Signing the cert requests using private CA key (password needed):
Code:
[root@homeserv /etc/ssl/testCa]# openssl ca -verbose -in cameron.csr -out certs/cameron.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
V 140219193809Z 1000 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V 140219194334Z 1001 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
2 entries loaded from the database
generating index
Successfully loaded extensions file x509ext.txt
message digest is sha1
policy is policy_match
next serial number is 1002
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=cameron.ivorde.ro, CN=cameron.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:f7:44:7d:74:b3:4c:b7:a2:f3:4f:27:b9:6b:
54:5f:7c:69:1c:b3:aa:33:54:de:34:22:de:5f:c8:
ba:f3:03:a6:7e:5b:d4:fa:a9:f3:cd:0b:00:46:b7:
13:f0:7f:f4:47:c7:47:d5:d8:e5:d9:09:a9:2a:79:
a6:88:e3:c6:8c:e8:bf:83:4b:5f:af:84:0f:29:fd:
2b:e0:48:e0:e5:b7:be:b6:77:77:2e:09:30:9c:59:
d8:73:4a:1f:f9:42:4e:e7:7d:b4:c3:05:56:76:34:
4f:ed:2d:bb:2a:7d:8b:02:ba:ca:be:7e:3a:0e:dd:
36:e7:de:c8:a0:a1:d9:19:d9
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:"andrei@vps.ivorde.ro"
Signature Algorithm: sha1WithRSAEncryption
11:4a:e8:de:f8:99:a0:b3:77:7e:63:3d:93:5d:a9:ff:4e:1c:
83:10:04:a7:72:36:6b:a1:c9:e9:ec:0e:e4:52:17:a2:e7:55:
88:64:f4:ea:7c:8a:bd:4a:19:ba:aa:84:62:93:8f:41:6b:65:
6a:b1:7e:f3:05:e8:3c:db:88:0a:44:cd:ec:8e:98:ef:48:85:
73:c1:da:68:d2:40:a6:cc:b4:56:f6:db:d8:42:ba:ab:d8:fe:
91:db:6a:18:7b:c4:33:05:3f:c6:cc:1b:a7:ce:e4:a5:72:b8:
aa:6a:3d:43:6a:e4:5b:0d:d0:52:04:fd:3e:ff:d6:47:d6:ea:
6b:e9
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
Serial Number: 4098 (0x1002)
Validity
Not Before: Feb 20 12:00:59 2013 GMT
Not After : Feb 20 12:00:59 2014 GMT
Subject:
countryName = RO
stateOrProvinceName = Bucharest
organizationName = Ivorde
organizationalUnitName = Ivorde-VPN
commonName = cameron.ivorde.ro
X509v3 extensions:
X509v3 Subject Alternative Name:
email:andrei@vpn.ivorde.ro
Certificate is to be certified until Feb 20 12:00:59 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/ivordeCA/newcerts/1002.pem
Data Base Updated
[root@homeserv /etc/ssl/testCa]# openssl ca -verbose -in daniel.csr -out certs/daniel.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for private/cakey.pem:
V 140219193809Z 1000 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V 140219194334Z 1001 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
V 140220120059Z 1002 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=cameron.ivorde.ro
3 entries loaded from the database
generating index
Successfully loaded extensions file x509ext.txt
message digest is sha1
policy is policy_match
next serial number is 1003
Certificate Request:
Data:
Version: 0 (0x0)
Subject: DC=daniel.ivorde.ro, CN=daniel.ivorde.ro, OU=Ivorde-VPN, O=Ivorde, L=Test-DC, ST=Bucharest, C=RO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
e1:31:2b:55:c6:05:ba:87:a1
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:"andrei@vps.ivorde.ro"
Signature Algorithm: sha1WithRSAEncryption
5b:cd:19:57:c4:e0:a1:be:42:34:40:d8:7e:65:3e:b6:d7:ba:
5b:f7:c4:2d:99:08:de:e6:7e:8a:22:60:a0:37:79:78:f5:8c:
cf:79:e7:79:a9:f1:94:2f:6c:17:50:56:97:b0:2b:4d:25:41:
ce:90:de:44:bc:17:4c:f9:a9:e9:f7:48:ea:b5:42:47:08:98:
d9:12:a7:a3:2e:12:51:58:cf:14:3a:af:ae:c5:7a:58:da:e1:
5a:60:f9:4a:60:2e:c1:c8:19:f0:46:59:3d:4e:01:fb:2d:55:
9b:b3:74:1e:ad:9d:a1:82:a7:19:9b:f2:66:ba:23:6d:9a:51:
8c:c2
Check that the request matches the signature
Signature ok
The subject name appears to be ok, checking data base for clashes
Everything appears to be ok, creating and signing the certificate
Extra configuration file found
Successfully added extensions from file.
Certificate Details:
Serial Number: 4099 (0x1003)
Validity
Not Before: Feb 20 12:01:39 2013 GMT
Not After : Feb 20 12:01:39 2014 GMT
Subject:
countryName = RO
stateOrProvinceName = Bucharest
organizationName = Ivorde
organizationalUnitName = Ivorde-VPN
commonName = daniel.ivorde.ro
X509v3 extensions:
X509v3 Subject Alternative Name:
email:andrei@vpn.ivorde.ro
Certificate is to be certified until Feb 20 12:01:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
writing new certificates
writing /etc/ssl/ivordeCA/newcerts/1003.pem
Data Base Updated
Now that we have two certificates in our ./certs directory, we can see that the certificate index file was updated, as well as the serial one:
Code:
[root@homeserv /etc/ssl/testCa]# cat serial index.txt
1004
V 140219193809Z 1000 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=asdf
V 140219194334Z 1001 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=asdf/CN=cameron
V 140220120059Z 1002 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=cameron.ivorde.ro
V 140220120139Z 1003 unknown /C=RO/ST=Bucharest/O=Ivorde/OU=Ivorde-VPN/CN=daniel.ivorde.ro
Let's take a look at one of the certificates:
Code:
[root@homeserv /etc/ssl/testCa]# openssl x509 -noout -text -in certs/daniel.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IvordeCA, CN=Andrei
Validity
Not Before: Feb 20 12:01:39 2013 GMT
Not After : Feb 20 12:01:39 2014 GMT
Subject: C=RO, ST=Bucharest, O=Ivorde, OU=Ivorde-VPN, CN=daniel.ivorde.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
e1:31:2b:55:c6:05:ba:87:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:andrei@vpn.ivorde.ro
Signature Algorithm: sha1WithRSAEncryption
34:9e:ac:8c:1e:af:e8:3e:53:97:3f:a3:ba:cf:28:de:10:53:
02:29:4e:e0:b6:d1:69:11:ee:14:83:f4:76:c6:a9:ae:39:87:
5b:4c:1f:ec:09:04:53:6f:06:84:b5:02:45:5f:a7:34:84:27:
4f:27:52:26:a8:57:03:42:7e:8b:ee:2b:4f:07:c0:2b:db:7e:
33:15:1f:2e:04:d0:bc:b8:50:18:1e:fb:79:93:e6:25:66:f1:
75:1e:62:8b:fa:71:82:0e:32:5c:0b:4d:77:0b:1f:5a:7c:a3:
54:30:32:cb:17:42:b2:bf:04:10:6b:58:5a:51:fd:1e:4f:b0:
9e:a3
Ok
[root@homeserv /etc/ssl/testCa]# cat certs/daniel.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4099 (0x1003)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IvordeCA, CN=Andrei
Validity
Not Before: Feb 20 12:01:39 2013 GMT
Not After : Feb 20 12:01:39 2014 GMT
Subject: C=RO, ST=Bucharest, O=Ivorde, OU=Ivorde-VPN, CN=daniel.ivorde.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:da:2e:f6:c5:c8:25:e5:2f:7d:39:81:81:e4:aa:
27:c1:c6:34:af:fe:30:1d:aa:1f:ed:42:59:da:0c:
35:87:4f:48:be:8e:f0:6a:4a:ce:d5:0f:d1:2d:67:
42:3e:61:d6:4b:b3:c1:f4:1f:0f:7c:67:10:24:83:
58:26:fc:55:91:19:93:cb:98:2b:41:2b:03:24:11:
7f:22:01:07:83:e1:9b:ff:7d:8e:a0:ea:20:4c:38:
ac:d6:b8:6a:aa:b9:0c:72:b7:94:4e:50:be:97:3d:
47:44:b0:e4:b9:b6:25:c7:6b:8d:61:c7:6f:c5:4a:
e1:31:2b:55:c6:05:ba:87:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:andrei@vpn.ivorde.ro
Signature Algorithm: sha1WithRSAEncryption
34:9e:ac:8c:1e:af:e8:3e:53:97:3f:a3:ba:cf:28:de:10:53:
02:29:4e:e0:b6:d1:69:11:ee:14:83:f4:76:c6:a9:ae:39:87:
5b:4c:1f:ec:09:04:53:6f:06:84:b5:02:45:5f:a7:34:84:27:
4f:27:52:26:a8:57:03:42:7e:8b:ee:2b:4f:07:c0:2b:db:7e:
33:15:1f:2e:04:d0:bc:b8:50:18:1e:fb:79:93:e6:25:66:f1:
75:1e:62:8b:fa:71:82:0e:32:5c:0b:4d:77:0b:1f:5a:7c:a3:
54:30:32:cb:17:42:b2:bf:04:10:6b:58:5a:51:fd:1e:4f:b0:
9e:a3
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCUk8x
EjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQK
EwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkwHhcN
MTMwMjIwMTIwMTM5WhcNMTQwMjIwMTIwMTM5WjBiMQswCQYDVQQGEwJSTzESMBAG
A1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxEzARBgNVBAsTCkl2b3Jk
ZS1WUE4xGTAXBgNVBAMTEGRhbmllbC5pdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O
8GpKztUP0S1nQj5h1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99
jqDqIEw4rNa4aqq5DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMB
AAGjIzAhMB8GA1UdEQQYMBaBFGFuZHJlaUB2cG4uaXZvcmRlLnJvMA0GCSqGSIb3
DQEBBQUAA4GBADSerIwer+g+U5c/o7rPKN4QUwIpTuC20WkR7hSD9HbGqa45h1tM
H+wJBFNvBoS1AkVfpzSEJ08nUiaoVwNCfovuK08HwCvbfjMVHy4E0Ly4UBge+3mT
5iVm8XUeYov6cYIOMlwLTXcLH1p8o1QwMssXQrK/BBBrWFpR/R5PsJ6j
-----END CERTIFICATE-----
5. It is time to import the public certificates signed by our test CA into the srx firewalls.
On each node, create a file named <hostname>.pem and paste the contents of the pem files from CA server.
Code:
root@daniel% vi daniel.pem
-----BEGIN CERTIFICATE-----
MIICZjCCAc+gAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCUk8x
EjAQBgNVBAgTCUJ1Y2hhcmVzdDESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQK
EwZJdm9yZGUxETAPBgNVBAsTCEl2b3JkZUNBMQ8wDQYDVQQDEwZBbmRyZWkwHhcN
MTMwMjIwMTIwMTM5WhcNMTQwMjIwMTIwMTM5WjBiMQswCQYDVQQGEwJSTzESMBAG
A1UECBMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZJdm9yZGUxEzARBgNVBAsTCkl2b3Jk
ZS1WUE4xGTAXBgNVBAMTEGRhbmllbC5pdm9yZGUucm8wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBANou9sXIJeUvfTmBgeSqJ8HGNK/+MB2qH+1CWdoMNYdPSL6O
8GpKztUP0S1nQj5h1kuzwfQfD3xnECSDWCb8VZEZk8uYK0ErAyQRfyIBB4Phm/99
jqDqIEw4rNa4aqq5DHK3lE5Qvpc9R0Sw5Lm2JcdrjWHHb8VK4TErVcYFuoehAgMB
AAGjIzAhMB8GA1UdEQQYMBaBFGFuZHJlaUB2cG4uaXZvcmRlLnJvMA0GCSqGSIb3
DQEBBQUAA4GBADSerIwer+g+U5c/o7rPKN4QUwIpTuC20WkR7hSD9HbGqa45h1tM
H+wJBFNvBoS1AkVfpzSEJ08nUiaoVwNCfovuK08HwCvbfjMVHy4E0Ly4UBge+3mT
5iVm8XUeYov6cYIOMlwLTXcLH1p8o1QwMssXQrK/BBBrWFpR/R5PsJ6j
-----END CERTIFICATE-----
~
~
~
~
~
~
~
~
Importing and verifying the public certificates that correspond to
key1 private key:
Code:
root@daniel> request security pki local-certificate load certificate-id key1 filename /root/daniel.pem
Local certificate loaded successfully
root@daniel> request security pki local-certificate verify certificate-id key1
Local certificate key1 verification success
6. Configuring the ike proposal/policy/gateway and ipsec proposal/policy/vpns on Junos inside the srx. Below is my config.
Code:
root@daniel> show configuration security ike
proposal cert-vpn-ike-prop {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy cert-vpn-pol {
mode main;
proposals cert-vpn-ike-prop;
certificate {
local-certificate key1;
peer-certificate-type x509-signature;
}
}
gateway cert-vpn-gw {
ike-policy cert-vpn-pol;
address 10.1.1.54;
local-identity user-at-hostname "andrei@vpn.ivorde.ro";
remote-identity user-at-hostname "andrei@vpn.ivorde.ro";
external-interface vlan.10;
}
root@cameron> show configuration security ike
proposal cert-vpn-ike-prop {
authentication-method rsa-signatures;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy cert-vpn-pol {
mode main;
proposals cert-vpn-ike-prop;
certificate {
local-certificate key1;
peer-certificate-type x509-signature;
}
}
gateway cert-vpn-gw {
ike-policy cert-vpn-pol;
address 10.1.1.53;
local-identity user-at-hostname "andrei@vpn.ivorde.ro";
remote-identity user-at-hostname "andrei@vpn.ivorde.ro";
external-interface vlan.10;
}
root@daniel> show configuration security ipsec
proposal cert-vpn-prop {
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 36000;
}
policy cert-vpn-pol {
perfect-forward-secrecy {
keys group2;
}
proposals cert-vpn-prop;
}
vpn cert-vpn {
bind-interface st0.200;
ike {
gateway cert-vpn-gw;
ipsec-policy cert-vpn-pol;
}
establish-tunnels immediately;
}
root@cameron> show configuration security ipsec
proposal cert-vpn-prop {
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 36000;
}
policy cert-vpn-pol {
perfect-forward-secrecy {
keys group2;
}
proposals cert-vpn-prop;
}
vpn cert-vpn {
bind-interface st0.200;
ike {
gateway cert-vpn-gw;
ipsec-policy cert-vpn-pol;
}
establish-tunnels immediately;
}
7. Checking ipsec tunnels coming up
root@cameron> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5615382 UP f4bb13f4d68e16f2 80710b5239d85e4e Main 10.1.1.53
root@cameron> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 438d37f2 35896/unlim - root 500 10.1.1.53
>131073 ESP:3des/sha1 d1ca3c4d 35896/unlim - root 500 10.1.1.53
root@cameron> show security ike security-associations detail
IKE peer 10.1.1.53, Index 5615382, Gateway Name: cert-vpn-gw
Role: Responder, State: UP
Initiator cookie: f4bb13f4d68e16f2, Responder cookie: 80710b5239d85e4e
Exchange type: Main, Authentication method: RSA-signatures
Local: 10.1.1.54:500, Remote: 10.1.1.53:500
Lifetime: Expires in 86267 seconds
Peer ike-id: andrei@vpn.ivorde.ro
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 2273
Output bytes : 2061
Input packets: 8
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 2 created, 1 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 10.1.1.54:500, Remote: 10.1.1.53:500
Local identity: andrei@vpn.ivorde.ro
Remote identity: andrei@vpn.ivorde.ro
Flags: IKE SA is created
root@cameron> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: cert-vpn
Local Gateway: 10.1.1.54, Remote Gateway: 10.1.1.53
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.200
Port: 500, Nego#: 8, Fail#: 0, Def-Del#: 0 Flag: 600a29
Tunnel Down Reason: Delete payload received
Direction: inbound, SPI: 438d37f2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 35889 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 35326 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: d1ca3c4d, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 35889 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 35326 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
One more important thing to do in order to force the tunnels to come up ( I noticed in my setup ) is to assign the tunnel interfaces to a security zone:
Code:
root@cameron# set security zones security-zone dmz-zone interfaces st0.200
root@cameron# commit and-quit
Do not copy paste the commands into your configuration !!!