There are more related posts in this blog:
- Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment
- Using PKI Build Route-Based IPSec VPN between Juniper SRX
- Certification based Cisco IPSec VPN Down caused by 'signature invalid'
- Using Symantec Verisign SSL Certificate for Check Point SSL VPN Mobile Access Portal
- Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN
- Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) - Using Two Different CA Certificates
This post is regarding some troubleshooting procedures for strange certificates issue during configuration PKI based IPSec vpn between Juniper SRX Firewalls.
Symptoms:Â
The VPN Tunnel could not be built although all procedures have been followed, generated RSA key pair, generated CSR on both SRX firewalls, submitted CSR to SSL certification provider, received certificates for both devices, received CA certificates, and imported all certificates into devices.
Debugging IKE did not give too much information. But during verify certificates, I found these strange information:
@SRX1:
root@fw-SRX1-2> show security pki ca-certificate detailÂ
node0:
--------------------------------------------------------------------------
Certificate identifier: G5
 Certificate version: 3
 Serial number: 250ce8e030612e9f2b89f7054d7cf8fd
 Issuer:
  Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US
 Subject:
  Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
 Subject string:
  C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
 Validity:
  Not before: 11- 8-2006 00:00 UTC
  Not after: 11- 7-2021 23:59 UTC
 Public key algorithm: rsaEncryption(2048 bits)
  30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
  e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
  64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
  b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
  cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
  26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
  8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
  56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
  04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
  37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
  74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
  88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
  67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
  ee:53:e8:25:15:02:03:01:00:01
 Signature algorithm: sha1WithRSAEncryption
 Distribution CRL:
  http://crl.verisign.com/pca3.crl
 Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,
 2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1
 Fingerprint:
  32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
  f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
 Auto-re-enrollment:
  Status: Disabled
  Next trigger time: Timer not started
Certificate identifier: G4
 Certificate version: 3
 Serial number: 513fb9743870b73440418d30930699ff
 Issuer:
  Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
 Subject:
  Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
 Subject string:
  C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
 Validity:
  Not before: 10-31-2013 00:00 UTC
  Not after: 10-30-2023 23:59 UTC
 Public key algorithm: rsaEncryption(2048 bits)
  30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39
  c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53
  7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94
  59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53
  25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da
  8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27
  17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac
  ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44
  0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48
  ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d
  f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2
  83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a
  52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c
  6f:4b:3f:b0:f7:02:03:01:00:01
 Signature algorithm: sha256WithRSAEncryption
 Distribution CRL:
  http://s1.symcb.com/pca3-g5.crl
 Use for key: CRL signing, Certificate signing
 Fingerprint:            Â
  ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
  23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
 Auto-re-enrollment:
  Status: Disabled
  Next trigger time: Timer not started
From output of show command, both certificates G4 and G5 at firewall fw-SRX1-2 look ok. But they wont pass verification.
root@fw-srx1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>
{primary:node1}
root@fw-srx1-2> request security pki ca-certificate verify ca-profile G5 Â
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>
@SRX2, same thing happened:
root@fw-SRX2-1> show security pki ca-certificate detailÂ
node0:
--------------------------------------------------------------------------
Certificate identifier: G5
 Certificate version: 3
 Serial number: 250ce8e030612e9f2b89f7054d7cf8fd
 Issuer:
  Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US
 Subject:
  Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
 Subject string:
  C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
 Validity:
  Not before: 11- 8-2006 00:00 UTC
  Not after: 11- 7-2021 23:59 UTC
 Public key algorithm: rsaEncryption(2048 bits)
  30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
  e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
  64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
  b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
  cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
  26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
  8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
  56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
  04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
  37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
  74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
  88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
  67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
  ee:53:e8:25:15:02:03:01:00:01
 Signature algorithm: sha1WithRSAEncryption
 Distribution CRL:
  http://crl.verisign.com/pca3.crl
 Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,
 2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1
 Fingerprint:
  32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
  f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
 Auto-re-enrollment:
  Status: Disabled
  Next trigger time: Timer not started
Certificate identifier: G4
 Certificate version: 3
 Serial number: 513fb9743870b73440418d30930699ff
 Issuer:
  Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
 Subject:
  Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
 Subject string:
  C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
 Validity:
  Not before: 10-31-2013 00:00 UTC
  Not after: 10-30-2023 23:59 UTC
 Public key algorithm: rsaEncryption(2048 bits)
  30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39
  c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53
  7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94
  59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53
  25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da
  8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27
  17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac
  ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44
  0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48
  ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d
  f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2
  83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a
  52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c
  6f:4b:3f:b0:f7:02:03:01:00:01
 Signature algorithm: sha256WithRSAEncryption
 Distribution CRL:
  http://s1.symcb.com/pca3-g5.crl
 Use for key: CRL signing, Certificate signing
 Fingerprint:            Â
  ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
  23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
 Auto-re-enrollment:
  Status: Disabled
  Next trigger time: Timer not started
Also the certificate chain did not pass verify procedure. The error is same as SRX1 device. It seems G5 CA certificate is having issue.
root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G4 Â
node0:
--------------------------------------------------------------------------
CA certificate G4 verified successfully
{primary:node0}
root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G5 Â
node0:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>
Both Devices CA certificate chain did not pass the verify. On SRX1, G4 and G5 CA certificate did not pass verify, and on SRX2, only G5 failed, although I imported same certificates on both devices.
Troubleshooting:
Let have a look at the files we got from Symantec Verisign:
1. ssl_certificate.crt is firewall's  certificate which is signed by Verisign CA certificate.
2. IntermediateCA.crt is CA certificate chain file which includes two certificates.
-----BEGIN CERTIFICATE-----MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJbA3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzus3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8TL9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVKFpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0TAQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2IuY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpghkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4EFgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxnyH1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4WKo8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtGQGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8tTRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTYKvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5KlCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZtOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/-----END CERTIFICATE-----
After saved each part of certificate chain into a file, I checked the certificate property for each certificate.
From the certificate properties, we can tell "Symantec Class 3 Secure Server CA - G4" is signed by "VeriSign Class 3 Public Primary Certification Authority - G5" and "VeriSign Class 3 Public Primary Certification Authority - G5" is signed by "Class 3 Public Primary Certification Authority"
From below output, local certificate SRX1 is signed by "Symantec Class 3 Secure Server CA - G4"
root@fw-SRX1-1> show security pki local-certificate detail
node0:
--------------------------------------------------------------------------
Certificate identifier: SRX1
 Certificate version: 3
 Serial number: 2d6f03041e93e1e97acd758ae940e6db
 Issuer:
  Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
 Subject:
  Organization: GG, Organizational unit: IT, Country: CA, State: Ontario, Locality: srx1, Common name: srx1.gg.com
 Subject string:
  C=CA, ST=Ontario, L=srx1, O=gg, OU=IT, CN=srx1.gg.com
 Alternate subject: email empty, srx1.gg.com, ip empty
 Validity:
  Not before: 01- 9-2015 00:00 UTC
  Not after: 04- 5-2018 23:59 UTC
 Public key algorithm: rsaEncryption(2048 bits)
  30:82:01:0a:02:82:01:01:00:9d:96:c7:76:c3:66:25:c3:ec:58:61
  ee:c9:9d:82:ae:d6:de:26:ff:50:e8:b1:a0:ce:cd:0f:1a:f2:59:56
  9f:7f:49:aa:de:88:a8:5d:4c:69:0a:5b:f0:91:a7:49:e4:9b:3b:df
  e4:0e:24:7d:23:fe:32:4b:c0:9e:a6:37:ff:0c:7b:ae:02:6b:1c:b7
  7c:79:29:e3:73:4d:4f:3d:5a:38:4a:f6:43:03:8b:b9:8e:19:ea:bb
  cd:52:00:5d:a8:b5:a8:3a:92:3c:38:06:13:32:50:56:31:3f:be:68
  a2:b7:e4:f0:2d:0c:a2:f1:0b:22:b3:ea:2a:9e:47:7b:5b:aa:cc:43
  9d:f2:4e:e5:86:9f:c8:37:fc:02:d4:66:34:93:e0:d6:6b:35:c9:5d
  25:29:90:6d:ab:8c:1e:00:a1:cb:79:27:b4:f9:26:2e:e4:22:20:28
  70:e1:51:b6:7d:4a:34:07:c9:a3:69:49:26:34:6a:0b:66:ee:0c:29
  a5:c6:14:04:fb:64:49:31:72:cb:10:15:c4:c4:2b:66:b3:8c:3d:21
  76:34:3d:6a:83:0b:50:92:fe:32:a4:0c:7b:d2:82:d2:3f:61:63:59
  8c:57:4b:c7:99:09:a0:57:45:6c:e9:fb:64:34:80:46:dc:43:ce:4d
  1b:d0:d9:0a:e3:02:03:01:00:01
 Signature algorithm: sha256WithRSAEncryption
 Distribution CRL:
  http://ss.symcb.com/ss.crl
 Use for key: Key encipherment, Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
 Fingerprint:
  8a:ea:0d:e2:a9:28:65:d1:d4:e0:6d:77:7e:aa:75:7d:69:7d:1f:ab (sha1)
  c7:b2:a1:ad:36:aa:8e:40:3d:5e:c9:cb:ad:9b:3f:10 (md5)
 Auto-re-enrollment:
  Status: Disabled
  Next trigger time: Timer not started
I checked the Symantec page "Licensing and Use of Root Certificates", and found there is another G5 certificate.
Downloaded it and checked the property from Windows:
This new G5 certificate will expire on 2036 and has same Issued to and Issued by, which means it is Root CA certificate. The old G5 will expire on 2021 and have different Issued to and Issued by , which means it is signed by another root CA certificate. Now I am kind of understand Symantec Certificate Chain by drawing following diagram:
Solutions:
Now it is quite clear, with those originate certificates sent from Symantec, I only have G5(2021) and G4 for CA certificate chain. I am missing one root certificate "Verisign Class 3 Public Primary CA".
I can either import another new ca certificate to complete this chain, or replace G5(2021) with the new G5(2036). I choose replace option.
All steps are listed in the following:
root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem Â
node1:
--------------------------------------------------------------------------
error: Command aborted as CA certificate already exists. Retry after clearing the existing CA certificate
root@fw-SRX1-2> clear security pki ca-certificate ca-profile G5 Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem Â
node1:
--------------------------------------------------------------------------
Fingerprint:
 4e:b6:d5:78:49:9b:1c:cf:5f:58:1e:ad:56:be:3d:9b:67:44:a5:e5 (sha1)
 cb:17:e4:31:67:3e:e2:09:fe:45:57:93:f3:0a:fa:1c (md5)
CA certificate for profile G5 loaded successfully
root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
CA certificate G4 verified successfully
root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G5 Â
node1:
--------------------------------------------------------------------------
CA certificate G5 verified successfully
root@fw-SRX1-2> show security pki ca-certificate node0:--------------------------------------------------------------------------
Certificate identifier: G5Â Issued to: VeriSign Class 3 Public Primary Certification Authority - G5, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5Â Validity:Â Â Not before: 11- 8-2006 00:00 UTCÂ Â Not after: 07-16-2036 23:59 UTCÂ Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: G4Â Issued to: Symantec Class 3 Secure Server CA - G4, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5Â Validity:Â Â Not before: 10-31-2013 00:00 UTCÂ Â Not after: 10-30-2023 23:59 UTCÂ Public key algorithm: rsaEncryption(2048 bits)
Verify:
Check IKE and IPSec SA Stausroot@fw-SRX1-2> show security ike security-associations
node1:
--------------------------------------------------------------------------
Index  State  Initiator cookie  Responder cookie  Mode      Remote Address
301675926 UP  a148a554596bf461  cc586e1ce0d381be  Main      10.9.1.1  Â
{secondary:node0}
root@fw-SRX1-2> show security ipsec security-associations
node1:
--------------------------------------------------------------------------
 Total active tunnels: 1
 ID   Algorithm    SPI    Life:sec/kb  Mon lsys Port  Gateway
 <131073 ESP:aes-cbc-128/sha1 c2a9ad05 1690/ unlim - root 500 10.9.1.1  Â
 >131073 ESP:aes-cbc-128/sha1 3fd4eedc 1690/ unlim - root 500 10.9.1.1   Â
Configuration:
Interfaces {
  st0 {
    unit 0 {
      family inet;
    }
  }
}
admin@fw-2> show configuration routing-instancesÂ
vr_SRX2{
  instance-type virtual-router;
  interface reth9.0;
  interface st0.0;
  routing-options {
    static {
      route 1.1.1.0/24 next-hop 10.4.1.2;
      route 10.9.0.0/16 next-hop st0.0;
      route 10.9.1.1/32 next-hop 10.4.1.2;
    }
    aggregate {
      route 10.94.0.0/16 {
        preference 2;
      }
      route 192.168.0.0/16 {
        preference 2;
      }
    }
    instance-import from_all_to_SRXl;
  }
}
pki {
  ca-profile G4 {
    ca-identity test.com;
    revocation-check {
      disable;
    }
    administrator {
      email-address "[email protected]";
    }
  }
  ca-profile G5 {
    ca-identity test.com;
    revocation-check {
      disable;
    }
    administrator {
      email-address "test1.test.com";
    }
  }
  traceoptions {
    file PKITRACE size 1m;
    flag all;
  }
}
ike {
  inactive: traceoptions {
    file IKELOG size 1m;
    flag policy-manager;
    flag ike;
    flag routing-socket;
    flag certificates;
  }
  proposal P1-AES_1_1 {
    authentication-method rsa-signatures;
    dh-group group2;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 86400;
  }
  policy ike-pol-Myvpn {
    mode main;
    proposals P1-AES_1_1;
    certificate {
      local-certificate SRX1;
      peer-certificate-type x509-signature;
    }
    inactive: pre-shared-key ascii-text "$9$4xZGjqmT3nCHqp01IcSs2g4Uj"; ## SECRET-DATA
  }
  gateway gw-TheirGateway {
    ike-policy ike-pol-Myvpn;
    address 10.9.1.1;
    local-identity hostname srx1.test.com;
    remote-identity hostname srx2.test.com;
    external-interface reth9.0;
    local-address 10.4.1.1;
  }
}
ipsec {
  proposal P2-AES_1 {
    description group2;
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 3600;
  }
  policy ipsec-pol-1 {
    perfect-forward-secrecy {
      keys group2;
    }
    proposals P2-AES_1;
  }
  vpn vpn-ToThem {
    bind-interface st0.0;
    ike {
      gateway gw-TheirGateway;
      idle-time 1800;
      ipsec-policy ipsec-pol-1;
    }
  }
}
This comment has been removed by a blog administrator.
ReplyDelete