Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sat Aug 19, 2017 2:44 am


Author Message
mandrei99
Post  Post subject: PKI: How to import OpenSSL private key and public certificate in Juniper SRX  |  Posted: Fri Dec 12, 2014 10:07 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

PKI: How to import OpenSSL private key and public certificate in Juniper SRX

PKI: How to import OpenSSL private key and public certificate in Juniper SRX

One of SSL/TLS key/certificate pair usages is for authenticating IPSEC peers. How does it work ?

Each IPsec VPN endpoint posesses a private key and a public certificate. The public certificate was born from a certificate signing request (refered to as "csr" by many people) generated from the public key containing a public modulus.

The steps are:
- using private key with public modulus, generate a signing request containing information that should be signed: subject, x509 extensions
- the CSR is sent to the certificate authority (like verisign) and the CA signs the above information. The result is the public certificate (signed, refered to pem or crt)

There are few deviations from this setup: self signed certificates where issuer subject is the same as certificate subject and so on.

Besides the private key and signed pem certificate, VPN endpoints also have the public certificate of the certificate authority that signed the pem certificate of the other VPN endpoint and possibly other CA certificates. Each VPN endpoint sends it's own signed certificate to the other end. The other end checks if the received signed certificate was signed by any of the CAs that it has imported. If it passes, IKE phase 1 authentication is successful.

Juniper SRX series can generate their own private key, but to import one generated externally using OpenSSL or other SSL tool, requires a hidden command.

Here is how to generate a 2048bit key:

Code:
# openssl genrsa -out priv.key 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
..............+++
e is 65537 (0x10001)
# openssl rsa -in priv.key -noout -text
Private-Key: (2048 bit)
modulus:
    00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
    3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
    c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
    06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
    48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
    d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
    7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
    f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
    7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
    e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
    7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
    15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
    df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
    2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
    ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
    ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
    c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
    34:77
publicExponent: 65537 (0x10001)
privateExponent:
    52:c9:62:76:17:e0:aa:ec:56:b9:32:42:b4:2d:2c:
    ae:47:4a:54:53:8f:bb:82:4f:38:4c:42:e1:a7:cb:
    76:07:bd:af:02:fa:ba:73:0e:d9:60:90:77:69:12:
    f2:1c:50:6c:12:fe:44:0c:d5:f7:e4:11:d8:30:7f:
    8b:32:62:05:85:24:e9:a6:22:d2:f7:c0:e5:a2:29:
    ae:25:53:65:8c:24:bd:3e:9e:e6:e8:17:7d:92:0a:
    f2:79:5b:c8:62:40:e1:88:f0:2e:93:08:8f:8b:ef:
    50:21:26:bf:c6:db:61:2e:36:3a:60:2b:c3:8e:af:
    99:c9:a9:92:0d:dc:97:be:f3:4c:a5:22:c9:a3:3d:
    77:09:0d:77:b3:a3:e0:d5:e5:e9:61:9b:2a:7f:3d:
    a9:09:54:7f:d1:ff:03:bf:ef:67:d0:86:a7:78:9c:
    a3:f7:f9:02:62:3f:95:e6:e7:c3:54:d4:37:1a:d8:
    0f:c0:46:34:ad:32:ee:df:f9:14:d2:73:2f:4a:a7:
    30:fe:bb:69:b2:9c:73:b2:30:b4:b2:66:18:c7:7a:
    a1:11:69:d5:80:e2:7d:a8:65:3f:ae:11:b5:4c:c2:
    8c:a6:3b:3a:1d:03:9d:be:ec:bb:ab:db:97:3e:25:
    d8:a1:4a:53:bf:c6:a1:a4:66:ad:31:8d:82:93:2f:
    b9
prime1:
    00:df:71:20:7f:6f:76:38:71:6f:d7:ad:2c:89:e0:
    ed:96:08:30:e4:75:9e:42:33:fb:8a:40:60:12:a2:
    ee:39:af:b6:2a:a7:2b:9e:e0:97:9f:f8:7b:b7:3c:
    04:df:0e:38:c9:92:fd:ad:f6:3e:08:50:3d:9f:c3:
    5a:40:4c:2a:fa:32:43:cd:2d:7a:1f:e2:bf:9e:21:
    9c:37:fa:ac:c6:64:d7:74:af:ee:f9:35:0b:4e:60:
    c3:b1:a3:07:eb:93:0a:e7:a0:83:fb:94:2f:34:49:
    6e:04:11:81:17:3f:7b:41:ca:03:02:09:6b:b9:36:
    ca:7e:89:9a:bd:24:89:ab:ed
prime2:
    00:da:0a:c4:57:2c:ae:07:46:26:01:fa:e9:4c:d6:
    69:65:1d:34:70:26:d7:39:17:e4:65:06:85:8b:a3:
    89:05:2f:58:5e:34:ee:31:bb:a3:a6:99:4e:4f:e5:
    82:83:5e:66:ce:cf:a9:bc:3f:e2:40:1c:3d:ed:b4:
    f0:2e:6d:9f:c7:c0:62:64:e7:2e:ca:72:4b:82:72:
    77:af:91:d6:4e:89:e3:db:c1:91:83:95:f8:2d:24:
    fd:77:93:e6:a1:aa:5b:02:8f:96:80:d5:f4:f0:04:
    b8:9e:41:ad:6a:f4:0d:59:81:ef:b1:d1:d0:46:e8:
    bb:87:1a:33:22:74:2f:bd:73
exponent1:
    30:e1:6d:ab:93:35:b8:99:50:4f:4d:6a:1d:eb:9f:
    ee:1f:72:9a:b8:04:5c:15:45:24:f4:7a:4f:f9:66:
    c6:25:e3:63:27:59:0a:93:b5:77:e0:83:28:0d:b0:
    3f:1f:bc:5a:94:96:7c:75:0f:13:00:82:ca:ad:90:
    d3:da:15:d8:d0:20:37:05:88:de:ea:da:e2:7c:15:
    d1:c5:3c:00:d6:d4:af:89:41:6d:31:26:7d:09:fc:
    25:a3:35:bb:5a:5a:9b:5b:69:24:23:41:c4:5d:7f:
    fc:d1:db:7c:bb:7d:7a:61:f8:10:7d:01:1c:ee:98:
    93:e0:04:82:f6:38:4b:ed
exponent2:
    57:e9:af:70:56:9b:74:63:5c:3f:c0:23:00:d0:12:
    7e:aa:5f:d2:38:56:de:b6:3b:68:60:50:c8:14:8f:
    d2:7f:5c:69:df:7d:8a:9f:d5:43:fe:dc:0c:6a:c5:
    4c:a2:6b:61:47:69:70:75:71:8b:d7:d7:40:58:8b:
    de:ac:64:97:ed:81:be:9d:57:c8:58:7d:09:83:8d:
    ae:44:66:dc:13:cc:c3:76:30:6d:95:b2:12:c1:af:
    50:df:59:46:25:a1:bc:4e:98:a8:29:9c:30:8a:36:
    c5:d8:45:4b:b2:4b:0f:a3:cc:39:2e:17:83:ff:a2:
    5c:be:bb:8f:50:b9:4e:f1
coefficient:
    41:c1:4d:d3:6d:d0:13:00:4b:6a:a5:87:1e:8c:2a:
    9e:be:36:fa:7b:7b:dd:c5:a1:49:e9:1f:5d:99:74:
    26:10:7e:bd:da:8f:18:ab:31:6e:b3:e9:39:4e:75:
    bb:86:b4:ac:e7:3d:eb:af:97:90:4d:95:f7:33:8e:
    61:ed:76:e5:51:cd:06:a5:d2:4d:c6:1c:16:34:7a:
    1c:2a:35:4d:a6:01:57:62:6e:fe:79:90:c4:f6:55:
    ee:4f:08:a0:e0:07:fe:d3:87:b6:44:79:44:7c:03:
    ec:c3:67:4b:0a:ae:92:51:06:c1:24:2a:f9:98:79:
    e1:a2:0e:a1:fa:20:45:a2


From the private key, I will generate a signing request (no Issuer information and signature):
Code:
# openssl req -new -key priv.key -out cert.csr -subj "/C=RO/ST=Bucharest/L=Bucharest/O=Ivorde/OU=IPSEC/CN=ipsec.ivorde.ro"
# openssl req -in cert.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=IPSEC, CN=ipsec.ivorde.ro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
                    3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
                    c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
                    06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
                    48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
                    d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
                    7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
                    f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
                    7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
                    e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
                    7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
                    15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
                    df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
                    2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
                    ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
                    ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
                    c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
                    34:77
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         9a:56:17:84:e0:5d:e4:1a:fd:05:64:a6:e1:5b:6b:ff:dc:77:
         50:15:d6:83:55:ae:9d:43:1e:91:43:ce:b2:2d:c2:bf:a6:64:
         57:34:4d:62:d8:1c:d3:28:70:01:74:51:c9:c6:0d:7e:3d:b3:
         d4:ee:e8:f6:ac:19:e0:a7:e9:1f:9c:15:6a:3b:e4:63:dd:da:
         5c:81:42:63:64:ea:b5:8e:a8:e4:aa:8d:40:7a:8b:3a:d6:b5:
         df:45:e0:6b:9f:f9:ae:ee:9b:25:8c:4b:2d:32:f7:99:fe:16:
         ef:f9:71:86:6b:a4:30:13:1f:a8:0e:7a:d0:1d:52:97:28:79:
         70:c2:b2:e7:6f:5c:c8:08:ac:58:f8:59:cb:15:bc:bf:43:57:
         31:7a:3d:48:54:20:a1:ab:3f:ae:8c:23:3e:a0:6b:d7:c9:07:
         11:0e:42:b4:94:cc:d7:11:73:d1:6d:70:94:d1:81:9e:39:4c:
         6d:b1:39:3b:95:06:aa:40:23:ab:4a:67:b7:91:ae:4b:01:af:
         07:0f:b7:f2:60:84:e4:f7:1f:d8:f0:03:54:12:fb:62:d0:fa:
         26:65:4e:a9:7d:96:16:48:f4:bb:bf:c6:ab:0e:88:f9:c3:ec:
         ae:fa:3f:34:4b:cf:99:f7:1d:b3:f9:8b:39:40:48:3d:f5:1e:
         04:d4:17:de

As expected, signing request doesn't have an issuer.

Once the CSR is signed, let's check out the PEM certificate:
Code:
# openssl x509 -in cert.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4121 (0x1019)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RO, ST=Bucharest, L=Bucharest, O=Ivorde, OU=SSL CA, CN=ca.ivorde.ro/emailAddress=andrei@ivorde.ro
        Validity
            Not Before: Dec 12 13:54:21 2014 GMT
            Not After : Dec 12 13:54:21 2015 GMT
        Subject: C=RO, ST=Bucharest, O=Ivorde, OU=IPSEC, CN=ipsec.ivorde.ro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:4f:bb:76:7d:37:fa:27:81:d5:08:49:8c:09:
                    3d:1e:8e:b1:0e:84:e1:86:17:d2:0c:39:bf:e2:7f:
                    c1:0d:21:48:ee:25:3e:c0:e1:5d:3d:43:3f:39:ac:
                    06:9a:07:9e:97:b2:4b:1d:6b:0b:d5:2a:e4:ad:66:
                    48:d2:6d:82:28:a2:5f:96:11:5e:ee:f8:89:66:90:
                    d5:ca:21:9d:97:58:ed:81:66:49:c5:b6:96:10:7b:
                    7e:0d:33:e9:da:9b:f3:91:ff:7e:9e:04:2d:3e:99:
                    f4:4f:21:f1:1e:c0:6c:fa:1d:5b:a9:06:e8:15:b7:
                    7d:b1:26:fe:23:80:15:06:da:a5:49:00:56:7a:49:
                    e6:bf:e0:d1:0d:49:5e:77:22:2b:6c:4b:69:48:7e:
                    7f:a2:d3:06:db:d8:ab:0d:0c:b6:77:f8:59:a5:18:
                    15:33:ab:5b:ed:1d:3d:e1:8d:af:66:55:82:62:7b:
                    df:cb:c1:ac:59:39:98:03:3b:48:94:17:63:c6:b8:
                    2d:5a:b0:f2:61:bd:a9:52:a6:26:73:39:f3:2b:b7:
                    ac:13:8a:1f:29:69:f0:9f:21:42:92:de:38:a5:69:
                    ca:ea:62:3b:67:be:eb:cd:a8:4b:8d:1d:50:a2:7b:
                    c4:3d:e3:1f:5e:a6:ec:9a:ee:44:f1:4a:99:02:49:
                    34:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DirName:/C=UK/O=My Organization/OU=My Unit/CN=My Name, IP Address:3.2.2.2, email:asdfasdf@asdf.com, URI:http://ivorde.ro/
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha1WithRSAEncryption
         71:6d:06:f8:b6:53:44:5f:ef:ac:b4:8f:34:38:0f:06:58:72:
         bc:4c:29:d1:6f:d1:00:f8:69:b7:20:ce:50:19:23:60:96:b3:
         c9:fc:54:c8:96:fb:70:f5:9b:a7:13:40:65:54:12:83:8c:c7:
         98:22:d9:ee:65:9c:fa:b8:27:8d:6c:1b:27:1c:ef:d8:c0:25:
         fa:d5:68:48:93:c3:54:3e:49:64:52:b3:5f:86:e8:34:9e:a5:
         9e:c1:7d:5f:45:98:ab:80:86:17:d5:7d:62:c3:9a:a3:3f:08:
         fc:2c:fa:21:c8:96:dc:ac:11:ef:d3:7f:c3:29:ce:75:53:e5:
         26:2c:67:0f:dc:1c:5c:70:57:9a:df:8c:a3:04:9e:50:5a:b5:
         35:06:14:ae:e8:78:71:72:34:6d:9f:e3:bc:1d:4f:55:b1:2e:
         b6:f3:9a:c6:f1:17:29:86:97:18:66:77:21:be:47:ff:52:90:
         8f:87:2e:34:19:f2:a7:67:70:41:a5:b2:d7:b4:1b:46:a3:be:
         82:22:65:ac:e9:14:68:39:49:15:ec:40:d1:09:75:ee:37:9f:
         25:59:54:2f:00:36:16:45:01:6d:82:8a:bb:15:91:9b:12:9b:
         cd:e2:2a:ea:5b:d3:60:16:c2:6e:18:43:61:e0:e8:9c:69:80:
         4a:e1:8b:4b


Here is how to load the pair in Juniper SRX:
Code:
> request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key certificate-id test
Local certificate loaded successfully
> request security pki local-certificate verify certificate-id test
Error: Certificate Authority not found for certificate </C=RO/ST=Bucharest/O=Ivorde/OU=IPSEC/CN=ipsec.ivorde.ro>


At this point, the private key generated externally with OpenSSL and the signed certificate are loaded in the Juniper SRX firewall. But the signed certificate cannot be verified locally by the SRX.
In order for the ike PKI authentication to work, remember that IPSEC endpoint A needs public certificate of the authority that signed the public certificate of IPSEC endpoint B and vice-versa. If both endpoints have certificates signed by the same authority, then below is how to import the public certificate of the CA:

Code:
# set security pki ca-profile test ca-identity test
# set security pki ca-profile test revocation-check disable
# commit and-quit
> request security pki ca-certificate load filename /var/tmp/ca.crt ca-profile test   
Fingerprint:
  5c:6f:2d:4c:4a:f6:8f:93:a6:1b:21:30:9a:95:23:6a:e8:e8:5f:66 (sha1)
  63:b6:f8:85:67:27:dd:32:9d:b2:8f:88:94:0c:8f:65 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes

CA certificate for profile test loaded successfully


To check the previous signed/public certificate:
Code:
> request security pki local-certificate verify certificate-id test       
Local certificate test verification success





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "PKI: How to import OpenSSL private key and public certificate in Juniper SRX"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall

mandrei99

0

1994

Fri Dec 12, 2014 10:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6563

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1011

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

mandrei99

0

2811

Wed Apr 10, 2013 5:42 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1231

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

16254

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. Juniper SRX: Main mode for dynamic peer with Preshared key based authentication is not allowed

mandrei99

0

1454

Fri Jan 09, 2015 11:41 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1925

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

1972

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO