Jump to content

Juniper TLS certificate install

From Wikitech

In the fundraising environment, we use certificates from the pre-existing Puppet certificate authority to encrypt syslog traffic. We used the Puppet CA to generate a certificate for the SRX routers, so they can log securely to the fundraising central loggers.

Preparation

Generate a client certificate 

frpm1001:~$ sudo puppet cert generate pfw-codfw.wikimedia.org

Copy the relevant certificates to the router (this assumes read permissions to /var/lib/puppet/ssl/* and pre-existing destination directories on the pfw) 

frpm1001:~$ scp /var/lib/puppet/ssl/certs/ca.pem pfw3-codfw.wikimedia.org:certs/
frpm1001:~$ scp /var/lib/puppet/ssl/certs/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:certs/
frpm1001:~$ scp /var/lib/puppet/ssl/private_keys/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:private_keys/

Certificate reinstall/install

pfw3-codfw> clear security pki ca-certificate ca-profile frack-ca-profile

[no output]

pfw3-codfw> request security pki ca-certificate load ca-profile frack-ca-profile filename /var/tmp/ssl/certs/ca.pem

node0:
--------------------------------------------------------------------------
Fingerprint:
  49:98:40:62:4f:a2:f7:41:6f:4c:b2:5b:0e:81:6a:f5:0b:9a:49:ad (sha1)
  82:76:6e:43:ee:36:48:1c:c3:d2:ae:a3:fe:bd:2f:b2 (md5)
CA certificate for profile frack-ca-profile loaded successfully

pfw3-codfw> clear security pki local-certificate certificate-id pfw-codfw

[no output]

pfw3-codfw> clear security pki key-pair certificate-id pfw-codfw

node0:
--------------------------------------------------------------------------
Key pair deleted successfully

pfw3-codfw> request security pki local-certificate load certificate-id pfw-codfw filename /var/tmp/ssl/certs/pfw-codfw.wikimedia.org.pem key /var/tmp/ssl/private_keys/pfw-codfw.wikimedia.org.pem

node0:
--------------------------------------------------------------------------
Local certificate loaded successfully

pfw3-codfw> clear services ssl initiation counters

[no output]

Verification

When certificate is loaded you show see it here: 

cmooney@pfw1-eqiad> show security pki local-certificate 
node0:
--------------------------------------------------------------------------

LSYS: root-logical-system
Certificate identifier: pfw-eqiad
  Issued to: pfw-eqiad.wikimedia.org, Issued by: CN = Puppet CA: frpm1002.frack.eqiad.wmnet
  Validity:
    Not before: 11-12-2023 16:09 UTC
    Not after: 11-11-2028 16:09 UTC
  Public key algorithm: rsaEncryption(4096 bits)
  Keypair Location: Keypair generated locally

{primary:node0}

After this is loaded you can apply the configuration under 'set services ssl' which reference the CA and certificate. Once this is done you should see output as per below: 

pfw3-codfw> show services ssl certificate detail

[long output]

Cleanup

pfw3-codfw> file delete-directory /var/tmp/ssl recurse

[no output]

See also

task T312601 - Fundraising pfw rsyslog TLS errors

task T334676 - Refresh client certificate for central logging on pfw's

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Juniper_TLS_certificate_install&oldid=2242620"