Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SBR does not support certificates signed by SHA-2 algorithm

0

0

Article ID: KB23075 KB Last Updated: 08 Mar 2017Version: 4.0
Summary:
 This article describes the issue of certificates, signed by the SHA-2 algorithm, not being supported by SBR.
Symptoms:
  • SBR server certificates are renewed by using a new 2048-bit root CA; so the new cert.cer files return with the new chain up to the new 2048-bit Root CA.

  • The cert.cer and server.sbrpvk files are imported into the Radius server, through the GUI. Unfortunately, clients reject this with the following error message:
    EAP-TLS authentication failed - client issued alert 'unknown root certificate authority
Cause:
 
Solution:
Root CA's such as VeriSign use SHA-2 to sign its new certificates. SBR will not work with these certificates, as it does not support certificates signed by SHA-2.

Alternatively, you have to check the following factors:

  1. SBR can handle 2048 bit certificates without any issues (both the GUI and the server itself). If any certificate is greater than 2048, it causes GUI and server issues. It can accept a 4096 bit root certificate, if it is manually copied to Root folder, found under the Service directory; otherwise 4096 server certificates are not supported at all.

  2. If the root certificate is changed and no longer matches the root cert, which signed the SBR server certificate, it causes the clients to fail. Installing the newly issued root certificate on the client should resolve the issue.


Note: For SHA-2 support, contact your sales or account team for assistance.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search