PKI: How to import OpenSSL private key and public certificate in Juniper SRX
PKI: How to import OpenSSL private key and public certificate in Juniper SRXOne of SSL/TLS key/certificate pair usages is for authenticating IPSEC peers. How does it work ?
Each IPsec VPN endpoint posesses a private key and a public certificate. The public certificate was born from a certificate signing request (refered to as "csr" by many people) generated from the public key containing a public modulus.
The steps are:
- using private key with public modulus, generate a signing request containing information that should be signed: subject, x509 extensions
- the CSR is sent to the certificate authority (like verisign) and the CA signs the above information. The result is the public certificate (signed, refered to pem or crt)
There are few deviations from this setup: self signed certificates where issuer subject is the same as certificate subject and so on.
Besides the private key and signed pem certificate, VPN endpoints also have the public certificate of the certificate authority that signed the pem certificate of the other VPN endpoint and possibly other CA certificates. Each VPN endpoint sends it's own signed certificate to the other end. The other end checks if the received signed certificate was signed by any of the CAs that it has imported. If it passes, IKE phase 1 authentication is successful.
Juniper SRX series can generate their own private key, but to import one generated externally using OpenSSL or other SSL tool, requires a hidden command.
Here is how to generate a 2048bit key:
Code:
# openssl genrsa -out priv.key 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
..............+++
e is 65537 (0x10001)
# openssl rsa -in priv.key -noout -text
Private-Key: (2048 bit)
modulus:
00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
34:77
publicExponent: 65537 (0x10001)
privateExponent:
52:c9:62:76:17:e0:aa:ec:56:b9:32:42:b4:2d:2c:
ae:47:4a:54:53:8f:bb:82:4f:38:4c:42:e1:a7:cb:
76:07:bd:af:02:fa:ba:73:0e:d9:60:90:77:69:12:
f2:1c:50:6c:12:fe:44:0c:d5:f7:e4:11:d8:30:7f:
8b:32:62:05:85:24:e9:a6:22:d2:f7:c0:e5:a2:29:
ae:25:53:65:8c:24:bd:3e:9e:e6:e8:17:7d:92:0a:
f2:79:5b:c8:62:40:e1:88:f0:2e:93:08:8f:8b:ef:
50:21:26:bf:c6:db:61:2e:36:3a:60:2b:c3:8e:af:
99:c9:a9:92:0d:dc:97:be:f3:4c:a5:22:c9:a3:3d:
77:09:0d:77:b3:a3:e0:d5:e5:e9:61:9b:2a:7f:3d:
a9:09:54:7f:d1:ff:03:bf:ef:67:d0:86:a7:78:9c:
a3:f7:f9:02:62:3f:95:e6:e7:c3:54:d4:37:1a:d8:
0f:c0:46:34:ad:32:ee:df:f9:14:d2:73:2f:4a:a7:
30:fe:bb:69:b2:9c:73:b2:30:b4:b2:66:18:c7:7a:
a1:11:69:d5:80:e2:7d:a8:65:3f:ae:11:b5:4c:c2:
8c:a6:3b:3a:1d:03:9d:be:ec:bb:ab:db:97:3e:25:
d8:a1:4a:53:bf:c6:a1:a4:66:ad:31:8d:82:93:2f:
b9
prime1:
00:df:71:20:7f:6f:76:38:71:6f:d7:ad:2c:89:e0:
ed:96:08:30:e4:75:9e:42:33:fb:8a:40:60:12:a2:
ee:39:af:b6:2a:a7:2b:9e:e0:97:9f:f8:7b:b7:3c:
04:df:0e:38:c9:92:fd:ad:f6:3e:08:50:3d:9f:c3:
5a:40:4c:2a:fa:32:43:cd:2d:7a:1f:e2:bf:9e:21:
9c:37:fa:ac:c6:64:d7:74:af:ee:f9:35:0b:4e:60:
c3:b1:a3:07:eb:93:0a:e7:a0:83:fb:94:2f:34:49:
6e:04:11:81:17:3f:7b:41:ca:03:02:09:6b:b9:36:
ca:7e:89:9a:bd:24:89:ab:ed
prime2:
00:da:0a:c4:57:2c:ae:07:46:26:01:fa:e9:4c:d6:
69:65:1d:34:70:26:d7:39:17:e4:65:06:85:8b:a3:
89:05:2f:58:5e:34:ee:31:bb:a3:a6:99:4e:4f:e5:
82:83:5e:66:ce:cf:a9:bc:3f:e2:40:1c:3d:ed:b4:
f0:2e:6d:9f:c7:c0:62:64:e7:2e:ca:72:4b:82:72:
77:af:91:d6:4e:89:e3:db:c1:91:83:95:f8:2d:24:
fd:77:93:e6:a1:aa:5b:02:8f:96:80:d5:f4:f0:04:
b8:9e:41:ad:6a:f4:0d:59:81:ef:b1:d1:d0:46:e8:
bb:87:1a:33:22:74:2f:bd:73
exponent1:
30:e1:6d:ab:93:35:b8:99:50:4f:4d:6a:1d:eb:9f:
ee:1f:72:9a:b8:04:5c:15:45:24:f4:7a:4f:f9:66:
c6:25:e3:63:27:59:0a:93:b5:77:e0:83:28:0d:b0:
3f:1f:bc:5a:94:96:7c:75:0f:13:00:82:ca:ad:90:
d3:da:15:d8:d0:20:37:05:88:de:ea:da:e2:7c:15:
d1:c5:3c:00:d6:d4:af:89:41:6d:31:26:7d:09:fc:
25:a3:35:bb:5a:5a:9b:5b:69:24:23:41:c4:5d:7f:
fc:d1:db:7c:bb:7d:7a:61:f8:10:7d:01:1c:ee:98:
93:e0:04:82:f6:38:4b:ed
exponent2:
57:e9:af:70:56:9b:74:63:5c:3f:c0:23:00:d0:12:
7e:aa:5f:d2:38:56:de:b6:3b:68:60:50:c8:14:8f:
d2:7f:5c:69:df:7d:8a:9f:d5:43:fe:dc:0c:6a:c5:
4c:a2:6b:61:47:69:70:75:71:8b:d7:d7:40:58:8b:
de:ac:64:97:ed:81:be:9d:57:c8:58:7d:09:83:8d:
ae:44:66:dc:13:cc:c3:76:30:6d:95:b2:12:c1:af:
50:df:59:46:25:a1:bc:4e:98:a8:29:9c:30:8a:36:
c5:d8:45:4b:b2:4b:0f:a3:cc:39:2e:17:83:ff:a2:
5c:be:bb:8f:50:b9:4e:f1
coefficient:
41:c1:4d:d3:6d:d0:13:00:4b:6a:a5:87:1e:8c:2a:
9e:be:36:fa:7b:7b:dd:c5:a1:49:e9:1f:5d:99:74:
26:10:7e:bd:da:8f:18:ab:31:6e:b3:e9:39:4e:75:
bb:86:b4:ac:e7:3d:eb:af:97:90:4d:95:f7:33:8e:
61:ed:76:e5:51:cd:06:a5:d2:4d:c6:1c:16:34:7a:
1c:2a:35:4d:a6:01:57:62:6e:fe:79:90:c4:f6:55:
ee:4f:08:a0:e0:07:fe:d3:87:b6:44:79:44:7c:03:
ec:c3:67:4b:0a:ae:92:51:06:c1:24:2a:f9:98:79:
e1:a2:0e:a1:fa:20:45:a2
From the private key, I will generate a signing request (no Issuer information and signature):
Code:
# openssl req -new -key priv.key -out cert.csr -subj "/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=IPSEC/CN=ipsec.ivorde.ro"
# openssl req -in cert.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IPSEC, CN=ipsec.ivorde.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
34:77
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
9a:56:17:84:e0:5d:e4:1a:fd:05:64:a6:e1:5b:6b:ff:dc:77:
50:15:d6:83:55:ae:9d:43:1e:91:43:ce:b2:2d:c2:bf:a6:64:
57:34:4d:62:d8:1c:d3:28:70:01:74:51:c9:c6:0d:7e:3d:b3:
d4:ee:e8:f6:ac:19:e0:a7:e9:1f:9c:15:6a:3b:e4:63:dd:da:
5c:81:42:63:64:ea:b5:8e:a8:e4:aa:8d:40:7a:8b:3a:d6:b5:
df:45:e0:6b:9f:f9:ae:ee:9b:25:8c:4b:2d:32:f7:99:fe:16:
ef:f9:71:86:6b:a4:30:13:1f:a8:0e:7a:d0:1d:52:97:28:79:
70:c2:b2:e7:6f:5c:c8:08:ac:58:f8:59:cb:15:bc:bf:43:57:
31:7a:3d:48:54:20:a1:ab:3f:ae:8c:23:3e:a0:6b:d7:c9:07:
11:0e:42:b4:94:cc:d7:11:73:d1:6d:70:94:d1:81:9e:39:4c:
6d:b1:39:3b:95:06:aa:40:23:ab:4a:67:b7:91:ae:4b:01:af:
07:0f:b7:f2:60:84:e4:f7:1f:d8:f0:03:54:12:fb:62:d0:fa:
26:65:4e:a9:7d:96:16:48:f4:bb:bf:c6:ab:0e:88:f9:c3:ec:
ae:fa:3f:34:4b:cf:99:f7:1d:b3:f9:8b:39:40:48:3d:f5:1e:
04:d4:17:de
As expected, signing request doesn't have an issuer.
Once the CSR is signed, let's check out the PEM certificate:
Code:
# openssl x509 -in cert.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4121 (0x1019)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=SSL CA, CN=ca.ivorde.ro/emailAddress=andrei@ivorde.ro
Validity
Not Before: Dec 12 13:54:21 2014 GMT
Not After : Dec 12 13:54:21 2015 GMT
Subject: C=RO, ST=Bucharest, O=Ivorde, OU=IPSEC, CN=ipsec.ivorde.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
34:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DirName:/C=UK/O=My Organization/OU=My Unit/CN=My Name, IP Address:3.2.2.2, email:asdfasdf@asdf.com, URI:http://ivorde.ro/
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
71:6d:06:f8:b6:53:44:5f:ef:ac:b4:8f:34:38:0f:06:58:72:
bc:4c:29:d1:6f:d1:00:f8:69:b7:20:ce:50:19:23:60:96:b3:
c9:fc:54:c8:96:fb:70:f5:9b:a7:13:40:65:54:12:83:8c:c7:
98:22:d9:ee:65:9c:fa:b8:27:8d:6c:1b:27:1c:ef:d8:c0:25:
fa:d5:68:48:93:c3:54:3e:49:64:52:b3:5f:86:e8:34:9e:a5:
9e:c1:7d:5f:45:98:ab:80:86:17:d5:7d:62:c3:9a:a3:3f:08:
fc:2c:fa:21:c8:96:dc:ac:11:ef:d3:7f:c3:29:ce:75:53:e5:
26:2c:67:0f:dc:1c:5c:70:57:9a:df:8c:a3:04:9e:50:5a:b5:
35:06:14:ae:e8:78:71:72:34:6d:9f:e3:bc:1d:4f:55:b1:2e:
b6:f3:9a:c6:f1:17:29:86:97:18:66:77:21:be:47:ff:52:90:
8f:87:2e:34:19:f2:a7:67:70:41:a5:b2:d7:b4:1b:46:a3:be:
82:22:65:ac:e9:14:68:39:49:15:ec:40:d1:09:75:ee:37:9f:
25:59:54:2f:00:36:16:45:01:6d:82:8a:bb:15:91:9b:12:9b:
cd:e2:2a:ea:5b:d3:60:16:c2:6e:18:43:61:e0:e8:9c:69:80:
4a:e1:8b:4b
Here is how to load the pair in Juniper SRX:
Code:
> request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key certificate-id test
Local certificate loaded successfully
> request security pki local-certificate verify certificate-id test
Error: Certificate Authority not found for certificate </C=RO/ST=Bucharest/O=Ivorde/OU=IPSEC/CN=ipsec.ivorde.ro>
At this point, the private key generated externally with OpenSSL and the signed certificate are loaded in the Juniper SRX firewall. But the signed certificate cannot be verified locally by the SRX.
In order for the ike PKI authentication to work, remember that IPSEC endpoint A needs public certificate of the authority that signed the public certificate of IPSEC endpoint B and vice-versa. If both endpoints have certificates signed by the same authority, then below is how to import the public certificate of the CA:
Code:
# set security pki ca-profile test ca-identity test
# set security pki ca-profile test revocation-check disable
# commit and-quit
> request security pki ca-certificate load filename /var/tmp/ca.crt ca-profile test
Fingerprint:
5c:6f:2d:4c:4a:f6:8f:93:a6:1b:21:30:9a:95:23:6a:e8:e8:5f:66 (sha1)
63:b6:f8:85:67:27:dd:32:9d:b2:8f:88:94:0c:8f:65 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes
CA certificate for profile test loaded successfully
To check the previous signed/public certificate:
Code:
> request security pki local-certificate verify certificate-id test
Local certificate test verification success