Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Unable to configure SSL-FP on SRX after TPM is enabled

0

0

Article ID: KB34228 KB Last Updated: 07 Jun 2019Version: 1.0
Summary:

After enabling TPM, when committing SSL-FP related changes, the commit check fails the following error:

certificate 'name': key does not exist

Note: Behavior of this KB has been tested on following Junos versions:
15.1X49-D170, 17.4R2.4, 18.1R2.6, 18.2R2.6, 18.3R1.9

 

Symptoms:

When TPM is enabled, generating key-pair, local cert and configuring SSL-FP results in the following error upon commit:

  1. Check TPM status:‚Äč

    root# run show security tpm status                            
    TPM Status:
      Enabled: yes
      Owned: yes
      Master Binding Key: created
      Master Encryption Key: configured
      TPM Family: 1.2
      TPM Firmware version: 4.40
    
  2. Generate key-pair and self-signed local cert

  3. Configure SSL Proxy profile with the local cert and call the profile under security policy

    root# show|compare    
    [edit]
    +  services {
    +      ssl {
    +          proxy {
    +              profile SSL {
    +                  trusted-ca all;
    +                  root-ca selfsigned;
    +              }
    +          }
    +      }
    +  }
    [edit security]
    +   policies {
    +       from-zone trust to-zone untrust {
    +           policy tr-to-un {
    +               match {
    +                   source-address any;
    +                   destination-address any;
    +                   application any;
    +               }
    +               then {
    +                   permit {
    +                       application-services {
    +                           ssl-proxy {
    +                               profile-name SSL;
    +                           }
    +                       }
    +                   }
    +               }
    +           }
    +       }
    +   }
    +   zones {
    +       security-zone trust;
    +       security-zone untrust;
    +   }
    
     [edit]
    root# commit
    error: certificate 'selfsigned': key does not exist
    error: configuration check-out failed
Solution:

SSL Proxy is not tested with TPM mode and this setup is not supported.

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search