Troubleshooting Symantec Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)

PKI based IPSec Site to Site VPN becomes more and more populous. I had a previous post "Set up PKI IPSec VPN with Verisign SSL Certificates between Juniper SRX Firewalls" which records all steps how to set this kind of IPsec VPN up.

There are more related posts in this blog:

• Using Symantec SSL PKI to Authenticate Cisco IOS IPSec VPN - HA Deployment
• Using PKI Build Route-Based IPSec VPN between Juniper SRX
• Certification based Cisco IPSec VPN Down caused by 'signature invalid'
• Using Symantec Verisign SSL Certificate for Check Point SSL VPN Mobile Access Portal
• Using Symantec Verisign PKI to authenticate Checkpoint Site-to-Site IPSec VPN
• Cisco IKEv1 Site-to-Site IPSec Configuration on IOS Routers (2) - Using Two Different CA Certificates

This post is regarding some troubleshooting procedures for strange certificates issue during configuration PKI based IPSec vpn between Juniper SRX Firewalls.

Symptoms: 

The VPN Tunnel could not be built although all procedures have been followed, generated RSA key pair, generated CSR on both SRX firewalls, submitted CSR to SSL certification provider, received certificates for both devices, received CA certificates, and imported all certificates into devices.

Debugging IKE did not give too much information. But during verify certificates, I found these strange information:

@SRX1:

root@fw-SRX1-2> show security pki ca-certificate detail 
node0:
--------------------------------------------------------------------------
Certificate identifier: G5
  Certificate version: 3
  Serial number: 250ce8e030612e9f2b89f7054d7cf8fd
  Issuer:
    Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US
  Subject:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject string:
    C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Validity:
    Not before: 11- 8-2006 00:00 UTC
    Not after: 11- 7-2021 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
    e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
    64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
    b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
    cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
    26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
    8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
    56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
    04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
    37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
    74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
    88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
    67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
    ee:53:e8:25:15:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Distribution CRL:
    http://crl.verisign.com/pca3.crl
  Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,
  2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1
  Fingerprint:
    32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
    f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started
Certificate identifier: G4
  Certificate version: 3
  Serial number: 513fb9743870b73440418d30930699ff
  Issuer:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:
    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
  Subject string:
    C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
  Validity:
    Not before: 10-31-2013 00:00 UTC
    Not after: 10-30-2023 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39
    c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53
    7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94
    59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53
    25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da
    8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27
    17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac
    ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44
    0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48
    ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d
    f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2
    83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a
    52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c
    6f:4b:3f:b0:f7:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL:
    http://s1.symcb.com/pca3-g5.crl
  Use for key: CRL signing, Certificate signing
  Fingerprint:                        
    ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
    23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

From output of show command, both certificates G4 and G5 at firewall fw-SRX1-2 look ok. But they wont pass verification.

root@fw-srx1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>
{primary:node1}
root@fw-srx1-2> request security pki ca-certificate verify ca-profile G5  
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>

@SRX2, same thing happened:

root@fw-SRX2-1> show security pki ca-certificate detail 
node0:
--------------------------------------------------------------------------
Certificate identifier: G5
  Certificate version: 3
  Serial number: 250ce8e030612e9f2b89f7054d7cf8fd
  Issuer:
    Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US
  Subject:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject string:
    C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Validity:
    Not before: 11- 8-2006 00:00 UTC
    Not after: 11- 7-2021 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
    e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
    64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
    b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
    cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
    26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
    8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
    56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
    04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
    37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
    74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
    88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
    67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
    ee:53:e8:25:15:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Distribution CRL:
    http://crl.verisign.com/pca3.crl
  Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,
  2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1
  Fingerprint:
    32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
    f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started
Certificate identifier: G4
  Certificate version: 3
  Serial number: 513fb9743870b73440418d30930699ff
  Issuer:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:
    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
  Subject string:
    C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
  Validity:
    Not before: 10-31-2013 00:00 UTC
    Not after: 10-30-2023 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39
    c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53
    7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94
    59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53
    25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da
    8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27
    17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac
    ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44
    0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48
    ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d
    f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2
    83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a
    52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c
    6f:4b:3f:b0:f7:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL:
    http://s1.symcb.com/pca3-g5.crl
  Use for key: CRL signing, Certificate signing
  Fingerprint:                        
    ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
    23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

Also the certificate chain did not pass verify procedure. The error is same as SRX1 device. It seems G5 CA certificate is having issue.

root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G4  
node0:
--------------------------------------------------------------------------
CA certificate G4 verified successfully
{primary:node0}
root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G5  
node0:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>

Both Devices CA certificate chain did not pass the verify. On SRX1, G4 and G5 CA certificate did not pass verify, and on SRX2, only G5 failed, although I imported same certificates on both devices.

Troubleshooting:

Let have a look at the files we got from Symantec Verisign:

1. ssl_certificate.crt is firewall's  certificate which is signed by Verisign CA certificate.

2. IntermediateCA.crt is CA certificate chain file which includes two certificates.

-----BEGIN CERTIFICATE-----MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJbA3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzus3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8TL9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVKFpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0TAQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2IuY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpghkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4EFgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxnyH1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4WKo8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtGQGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8tTRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTYKvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5KlCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZtOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/-----END CERTIFICATE-----

After saved each part of certificate chain into a file, I checked the certificate property for each certificate.

From the certificate properties, we can tell "Symantec Class 3 Secure Server CA - G4" is signed by "VeriSign Class 3 Public Primary Certification Authority - G5" and "VeriSign Class 3 Public Primary Certification Authority - G5" is signed by "Class 3 Public Primary Certification Authority"

From below output, local certificate SRX1 is signed by "Symantec Class 3 Secure Server CA - G4"

root@fw-SRX1-1> show security pki local-certificate detail
node0:
--------------------------------------------------------------------------
Certificate identifier: SRX1
  Certificate version: 3
  Serial number: 2d6f03041e93e1e97acd758ae940e6db
  Issuer:
    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
  Subject:
    Organization: GG, Organizational unit: IT, Country: CA, State: Ontario, Locality: srx1, Common name: srx1.gg.com
  Subject string:
    C=CA, ST=Ontario, L=srx1, O=gg, OU=IT, CN=srx1.gg.com
  Alternate subject: email empty, srx1.gg.com, ip empty
  Validity:
    Not before: 01- 9-2015 00:00 UTC
    Not after: 04- 5-2018 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:9d:96:c7:76:c3:66:25:c3:ec:58:61
    ee:c9:9d:82:ae:d6:de:26:ff:50:e8:b1:a0:ce:cd:0f:1a:f2:59:56
    9f:7f:49:aa:de:88:a8:5d:4c:69:0a:5b:f0:91:a7:49:e4:9b:3b:df
    e4:0e:24:7d:23:fe:32:4b:c0:9e:a6:37:ff:0c:7b:ae:02:6b:1c:b7
    7c:79:29:e3:73:4d:4f:3d:5a:38:4a:f6:43:03:8b:b9:8e:19:ea:bb
    cd:52:00:5d:a8:b5:a8:3a:92:3c:38:06:13:32:50:56:31:3f:be:68
    a2:b7:e4:f0:2d:0c:a2:f1:0b:22:b3:ea:2a:9e:47:7b:5b:aa:cc:43
    9d:f2:4e:e5:86:9f:c8:37:fc:02:d4:66:34:93:e0:d6:6b:35:c9:5d
    25:29:90:6d:ab:8c:1e:00:a1:cb:79:27:b4:f9:26:2e:e4:22:20:28
    70:e1:51:b6:7d:4a:34:07:c9:a3:69:49:26:34:6a:0b:66:ee:0c:29
    a5:c6:14:04:fb:64:49:31:72:cb:10:15:c4:c4:2b:66:b3:8c:3d:21
    76:34:3d:6a:83:0b:50:92:fe:32:a4:0c:7b:d2:82:d2:3f:61:63:59
    8c:57:4b:c7:99:09:a0:57:45:6c:e9:fb:64:34:80:46:dc:43:ce:4d
    1b:d0:d9:0a:e3:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL:
    http://ss.symcb.com/ss.crl
  Use for key: Key encipherment, Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
  Fingerprint:
    8a:ea:0d:e2:a9:28:65:d1:d4:e0:6d:77:7e:aa:75:7d:69:7d:1f:ab (sha1)
    c7:b2:a1:ad:36:aa:8e:40:3d:5e:c9:cb:ad:9b:3f:10 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

I checked the Symantec page "Licensing and Use of Root Certificates", and found there is another G5 certificate.

Downloaded it and checked the property from Windows:

This new G5 certificate will expire on 2036 and has same Issued to and Issued by, which means it is Root CA certificate. The old G5 will expire on 2021 and have different Issued to and Issued by , which means it is signed by another root CA certificate. Now I am kind of understand Symantec Certificate Chain by drawing following diagram:

Solutions:

Now it is quite clear, with those originate certificates sent from Symantec, I only have G5(2021) and G4 for CA certificate chain. I am missing one root certificate "Verisign Class 3 Public Primary CA".

I can either import another new ca certificate to complete this chain, or replace G5(2021) with the new G5(2036). I choose replace option.

All steps are listed in the following:

root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem  
node1:
--------------------------------------------------------------------------
error: Command aborted as CA certificate already exists. Retry after clearing the existing CA certificate

root@fw-SRX1-2> clear security pki ca-certificate ca-profile G5                                  

root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem  
node1:
--------------------------------------------------------------------------
Fingerprint:
  4e:b6:d5:78:49:9b:1c:cf:5f:58:1e:ad:56:be:3d:9b:67:44:a5:e5 (sha1)
  cb:17:e4:31:67:3e:e2:09:fe:45:57:93:f3:0a:fa:1c (md5)
CA certificate for profile G5 loaded successfully
root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
CA certificate G4 verified successfully

root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G5  
node1:
--------------------------------------------------------------------------
CA certificate G5 verified successfully

root@fw-SRX1-2> show security pki ca-certificate node0:--------------------------------------------------------------------------
Certificate identifier: G5  Issued to: VeriSign Class 3 Public Primary Certification Authority - G5, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5  Validity:    Not before: 11- 8-2006 00:00 UTC    Not after: 07-16-2036 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: G4  Issued to: Symantec Class 3 Secure Server CA - G4, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5  Validity:    Not before: 10-31-2013 00:00 UTC    Not after: 10-30-2023 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)

Verify:

Check IKE and IPSec SA Staus

root@fw-SRX1-2> show security ike security-associations
node1:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
301675926 UP   a148a554596bf461  cc586e1ce0d381be  Main           10.9.1.1    
{secondary:node0}
root@fw-SRX1-2> show security ipsec security-associations
node1:
--------------------------------------------------------------------------
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-128/sha1 c2a9ad05 1690/ unlim - root 500 10.9.1.1    
  >131073 ESP:aes-cbc-128/sha1 3fd4eedc 1690/ unlim - root 500 10.9.1.1     

Configuration:

Interfaces {
    st0 {
        unit 0 {
            family inet;
        }
    }
}

admin@fw-2> show configuration routing-instances 
vr_SRX2{
    instance-type virtual-router;
    interface reth9.0;
    interface st0.0;
    routing-options {
        static {
            route 1.1.1.0/24 next-hop 10.4.1.2;
            route 10.9.0.0/16 next-hop st0.0;
            route 10.9.1.1/32 next-hop 10.4.1.2;
        }
        aggregate {
            route 10.94.0.0/16 {
                preference 2;
            }
            route 192.168.0.0/16 {
                preference 2;
            }
        }
        instance-import from_all_to_SRXl;
    }
}

pki {

    ca-profile G4 {
        ca-identity test.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address "[email protected]";
        }
    }
    ca-profile G5 {
        ca-identity test.com;
        revocation-check {
            disable;
        }
        administrator {
            email-address "test1.test.com";
        }
    }
    traceoptions {
        file PKITRACE size 1m;
        flag all;
    }
}

ike {

    inactive: traceoptions {
        file IKELOG size 1m;
        flag policy-manager;
        flag ike;
        flag routing-socket;
        flag certificates;
    }
    proposal P1-AES_1_1 {
        authentication-method rsa-signatures;
        dh-group group2;
        authentication-algorithm sha1;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 86400;
    }
    policy ike-pol-Myvpn {
        mode main;
        proposals P1-AES_1_1;
        certificate {
            local-certificate SRX1;
            peer-certificate-type x509-signature;
        }
        inactive: pre-shared-key ascii-text "$9$4xZGjqmT3nCHqp01IcSs2g4Uj"; ## SECRET-DATA
    }
    gateway gw-TheirGateway {
        ike-policy ike-pol-Myvpn;
        address 10.9.1.1;
        local-identity hostname srx1.test.com;
        remote-identity hostname srx2.test.com;
        external-interface reth9.0;
        local-address 10.4.1.1;
    }
}

ipsec {

    proposal P2-AES_1 {
        description group2;
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm aes-128-cbc;
        lifetime-seconds 3600;
    }
    policy ipsec-pol-1 {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals P2-AES_1;
    }
    vpn vpn-ToThem {
        bind-interface st0.0;
        ike {
            gateway gw-TheirGateway;
            idle-time 1800;
            ipsec-policy ipsec-pol-1;
        }
    }
}