[SRX] Unable to configure SSL-FP on SRX after TPM is enabled

  [KB34228] Show Article Properties


Summary:

After enabling TPM, when committing SSL-FP related changes, the commit check fails the following error:

certificate 'name': key does not exist

Note: Behavior of this KB has been tested on following Junos versions:
15.1X49-D170, 17.4R2.4, 18.1R2.6, 18.2R2.6, 18.3R1.9

 

Symptoms:

When TPM is enabled, generating key-pair, local cert and configuring SSL-FP results in the following error upon commit:

  1. Check TPM status:‚Äč

    root# run show security tpm status                            
    TPM Status:
      Enabled: yes
      Owned: yes
      Master Binding Key: created
      Master Encryption Key: configured
      TPM Family: 1.2
      TPM Firmware version: 4.40
    
  2. Generate key-pair and self-signed local cert

  3. Configure SSL Proxy profile with the local cert and call the profile under security policy

    root# show|compare    
    [edit]
    +  services {
    +      ssl {
    +          proxy {
    +              profile SSL {
    +                  trusted-ca all;
    +                  root-ca selfsigned;
    +              }
    +          }
    +      }
    +  }
    [edit security]
    +   policies {
    +       from-zone trust to-zone untrust {
    +           policy tr-to-un {
    +               match {
    +                   source-address any;
    +                   destination-address any;
    +                   application any;
    +               }
    +               then {
    +                   permit {
    +                       application-services {
    +                           ssl-proxy {
    +                               profile-name SSL;
    +                           }
    +                       }
    +                   }
    +               }
    +           }
    +       }
    +   }
    +   zones {
    +       security-zone trust;
    +       security-zone untrust;
    +   }
    
     [edit]
    root# commit
    error: certificate 'selfsigned': key does not exist
    error: configuration check-out failed
Solution:

SSL Proxy is not tested with TPM mode and this setup is not supported.

Related Links: