Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Sat Mar 25, 2023 9:45 pm

Message body:
Enter your message here, it may contain no more than 60000 characters. 

:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
Font colour
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.

Topic review - error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall
Author Message
Post subject: error: error load certid<test> when attempting to import signed certificate in Juniper SRX Firewall  |  Post Posted: Fri Dec 12, 2014 10:21 am
request security pki local-certificate load filename /var/tmp/cert.crt key /var/tmp/priv.key certificate-id test               
error: error load certid<test>

99% of the cases when this error appears in Juniper SRX firewall is when the user attempts to load a public/signed certificate generated with a different private key than the one that SRX is aware of.

In many of these cases, users generate private key on the SRX, then they copy another key file generated on an external system overwriting existing one and they start "playing" in production. This is wrong approach because when a key pair is generated by Junos on the SRX, it is cached in the PKI daemon. On top of this, the key pair generated by the firewall has an extra header when it is written to disk containing a hash.

If this is overwritten, old key will still be in memory and the user tries to load a signed/local certificate generated with the key that was copied to /var/db/certs/common/key-pair/ directory and the above error will be displayed. If the srx is restarted, another error will appear.

Use the guide [url][/url to do this properly by importing an externally generated private key into the SRX instead of "scp" method.
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]