Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Why does SSL Forward Proxy deployment not work with certificates signed by public CAs?



Article ID: KB34329 KB Last Updated: 26 May 2019Version: 1.0

When users switch to using public-CA-signed certificates, the HTTPS sites become inaccessible. The browser complains with the message: “This certificate doesn’t seem to be appropriate for the chosen purpose”.

This article explains why this happens and what should be done to make SSL Forward Proxy work with certificates signed by public CAs.



​SSL Forward Proxy does not work with public-CA-signed certificates. A certificate error is reported with the message “This certificate doesn’t seem to be appropriate for the chosen purpose”.



Typically, no CA with a root trusted by browsers will issue a certificate that has certificate issuing rights to a normal enterprise. However, with the self-signed certificates that are generated on an SRX device, the add-ca-constraint option is used, which specifies whether the certificate can be used to sign other certificates.

In the above case, the sites do not open and the browser displays an error because the certificate does not have signing permissions, which are controlled via constraints set in the certificate that is issued. For example, if you look at the certificate on, it has Basic Constraints set to Subject Type=End Entity. When you compare this with the intermediate CA certificate from DigiCert, for example, the Subject Type=CA.

A screenshot of the self-signed certificate (generated with the add-ca-constraint option) is shown here with the Basic Constraints Extension showing the Certificate Authority: YES 



Because certificates issued by a public CA (like DigiCert) for SRX will not have the CA constraint set, the SRX device will not be able to sign on-the-fly certificates for the sites requested by users.

To resolve this issue, use your internal CA and generate a certificate for the SRX device with CA permissions (select the Type of Cert as Subordinate CA/Sub-CA). Then use it for SSL inspection so that the SRX device (which acts as a proxy) can generate on-the-fly certificates for each site that users are trying to access.


  1. On the Request a Certificate page of the Microsoft Active Directory Services tool, click advanced certificate request.

  1. On the Submit a Certificate Request or Renewal Request page, select the Certificate Template as Subordinate Certification Authority.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search