Juniper TLS certificate install
In the fundraising environment, we use certificates from the pre-existing Puppet certificate authority to encrypt syslog traffic. We used the Puppet CA to generate a certificate for the SRX routers, so they can log securely to the fundraising central loggers.
Preparation
Generate a client certificate
frpm1001:~$ sudo puppet cert generate pfw-codfw.wikimedia.org
Copy the relevant certificates to the router (this assumes read permissions to /var/lib/puppet/ssl/* and pre-existing destination directories on the pfw)
frpm1001:~$ scp /var/lib/puppet/ssl/certs/ca.pem pfw3-codfw.wikimedia.org:certs/ frpm1001:~$ scp /var/lib/puppet/ssl/certs/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:certs/ frpm1001:~$ scp /var/lib/puppet/ssl/private_keys/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:private_keys/
Certificate reinstall/install
pfw3-codfw> clear security pki ca-certificate ca-profile frack-ca-profile [no output]
pfw3-codfw> request security pki ca-certificate load ca-profile frack-ca-profile filename /var/tmp/ssl/certs/ca.pem node0: -------------------------------------------------------------------------- Fingerprint: 49:98:40:62:4f:a2:f7:41:6f:4c:b2:5b:0e:81:6a:f5:0b:9a:49:ad (sha1) 82:76:6e:43:ee:36:48:1c:c3:d2:ae:a3:fe:bd:2f:b2 (md5) CA certificate for profile frack-ca-profile loaded successfully
pfw3-codfw> clear security pki local-certificate certificate-id pfw-codfw [no output]
pfw3-codfw> clear security pki key-pair certificate-id pfw-codfw node0: -------------------------------------------------------------------------- Key pair deleted successfully
pfw3-codfw> request security pki local-certificate load certificate-id pfw-codfw filename /var/tmp/ssl/certs/pfw-codfw.wikimedia.org.pem key /var/tmp/ssl/private_keys/pfw-codfw.wikimedia.org.pem node0: -------------------------------------------------------------------------- Local certificate loaded successfully
pfw3-codfw> clear services ssl initiation counters [no output]
Verification
When certificate is loaded you show see it here:
cmooney@pfw1-eqiad> show security pki local-certificate
node0:
--------------------------------------------------------------------------
LSYS: root-logical-system
Certificate identifier: pfw-eqiad
Issued to: pfw-eqiad.wikimedia.org, Issued by: CN = Puppet CA: frpm1002.frack.eqiad.wmnet
Validity:
Not before: 11-12-2023 16:09 UTC
Not after: 11-11-2028 16:09 UTC
Public key algorithm: rsaEncryption(4096 bits)
Keypair Location: Keypair generated locally
{primary:node0}
After this is loaded you can apply the configuration under 'set services ssl' which reference the CA and certificate. Once this is done you should see output as per below:
pfw3-codfw> show services ssl certificate detail [long output]
Cleanup
pfw3-codfw> file delete-directory /var/tmp/ssl recurse [no output]
See also
task T312601 - Fundraising pfw rsyslog TLS errors
task T334676 - Refresh client certificate for central logging on pfw's