Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Validity-related restrictions when adding a Server Certificate under SSL configuration

0

0

Article ID: KB34126 KB Last Updated: 23 Apr 2019Version: 1.0
Summary:

When configuring SSL termination/proxy profile settings for Reverse/Forward SSL Proxy, there is an option to add a Server Certificate. See SSL Proxy for more details.

However, the installed Local Certificate on the SRX device has certain restrictions based on its validity period that must be considered if it is to be added under SSL configuration.

This article describes the validity related restrictions that must be taken into account when adding a Server Certificate under SSL configuration.

 

Symptoms:

There are three restrictions that apply to the validity of a Server Certificate that is installed under SSL configuration on SRX devices:

  1. "Not Before" time on the certificate should not be ahead of the Current Time on the device.
  2. "Not After" time on the certificate should not be behind the Current Time on the device.

  3. The total validity period on the certificate should not be greater than 18 years.

If there is discrepancy in any of the above restrictions, the SSL configuration with such a certificate will not be committed and the following commit error will be seen:

# commit
error: certificate 'cert-id': check validity period .
error: configuration check-out failed

 

Solution:

Example Configuration Statement

root@SRX# show | compare
[edit]
+  services {
+      ssl {
+          termination {
+              profile test {
+                  server-certificate ms-cert;
+              }
+          }
+      }
+  }‚Äč
 

Scenario 1: Not Before > Current Time:

root@SRX# run show system uptime
Current time: 2019-03-01 16:24:24 UTC             <<<<<<<<<<<<<<<<<<<<
Time Source:  LOCAL CLOCK
System booted: 2019-02-18 17:16:19 UTC (1w3d 23:08 ago)
Protocols started: 2019-02-18 17:16:20 UTC (1w3d 23:08 ago)
Last configured: 2019-04-01 09:43:46 UTC (-17:-19:-22 ago) by root
 4:24PM  up 10 days, 23:08, 1 user, load averages: 0.03, 0.05, 0.05

[edit]
root@SRX# run show security pki local-certificate
Certificate identifier: ms-cert
  Issued to: 10.219.31.4, Issued by: O = Juniper, CN = juniper-test.com, emailAddress = test@juniper-test.com
  Validity:
    Not before: 04- 1-2019 09:39 UTC               <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    Not after: 04- 1-2037 09:39 UTC
  Public key algorithm: rsaEncryption(2048 bits)

[edit]
root@SRX# commit
error: certificate 'ms-cert': check validity period .
error: configuration check-out failed
 

Scenario 2: Not After Time < Current Time

root@SRX# run show security pki local-certificate
Certificate identifier: ms-cert
  Issued to: 10.219.31.4, Issued by: O = Juniper, CN = juniper-test.com, emailAddress = test@juniper-test.com
  Validity:
    Not before: 04- 1-2019 10:56 UTC
    Not after: 04- 1-2020 10:56 UTC                              <<<<<<<<<<<<<<<<<<<<<
  Public key algorithm: rsaEncryption(2048 bits)

[edit]
root@SRX# run shs
                             ^
syntax error, expecting <command>.
root@SRX# run show system uptime
Current time: 2022-03-01 16:24:15 UTC                           <<<<<<<<<<<<<<<<<<
Time Source:  LOCAL CLOCK
System booted: 2022-02-18 17:11:50 UTC (1w3d 23:12 ago)
Protocols started: 2022-02-18 17:11:50 UTC (1w3d 23:12 ago)
Last configured: 2019-04-01 09:43:46 UTC (152w1d 06:40 ago) by root
 4:24PM  up 10 days, 23:12, 1 user, load averages: 0.14, 0.13, 0.08

[edit]
root@SRX# commit
error: certificate 'ms-cert': check validity period .
error: configuration check-out failed
 

Scenario 3: When validity period of the certificate is above 18 years:

root@SRX# run show security pki local-certificate
Certificate identifier: ms-cert
  Issued to: 10.219.31.4, Issued by: O = Juniper, CN = juniper-test.com, emailAddress = test@juniper-test.com
  Validity:
    Not before: 04- 1-2019 09:42 UTC
    Not after: 04- 1-2038 09:42 UTC
  Public key algorithm: rsaEncryption(2048 bits)

[edit]
root@SRX# commit
error: certificate 'ms-cert': check validity period .
error: configuration check-out failed
 
root@SRX# run show security pki local-certificate
Certificate identifier: ms-cert
  Issued to: 10.219.31.4, Issued by: O = Juniper, CN = juniper-test.com, emailAddress = test@juniper-test.com
  Validity:
    Not before: 04- 1-2019 09:39 UTC
    Not after: 04- 1-2037 09:39 UTC
  Public key algorithm: rsaEncryption(2048 bits)

[edit]
root@SRX# commit
commit complete

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search