Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] Validating the PKI certificate from CSO stage-1 config on SRX/vSRX devices

0

0

Article ID: KB37144 KB Last Updated: 22 Jun 2021Version: 1.0
Summary:

This article describes how to validate the PKI certificates that are generated by Contrail Service Orchestration (CSO) during Stage-1 configuration on SRX/vSRX devices.

Note: It is assumed that the PKI certificate has been copied and loaded successfully onto the device.

Symptoms:

If the PKI certificate is not validated or if there is any error while verifying, the device will not be able to establish a Border Gateway Protocol (BGP) connection with CSO and the VRR IP address and static OAM tunnels will be in Down state.

Check whether the certificate is valid:

root@SRX> request security pki local-certificate verify certificate-id PKI_Certificate
Error: Certificate /DC=net/DC=Juniper/DC=CA/CN=CA-WIN-PKI-SERVER-CA is not valid yet

Observe that the tunnels are down:

root@SRX> show bgp summary 
Threading mode: BGP I/O
Default eBGP mode: advertise - accept, receive - accept
Groups: 19 Peers: 22 Down peers: 12
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0               
                       0          0          0          0          0          0
bgp.l3vpn.0          
                       0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
<CSO_IP>              64512          0          0       0       0        3:34 Connect
<VRR_IP>              64512          0          0       0       0        3:34 Connect


root@SRX> show interfaces terse | match st0.40   
st0.4004                up    down inet     10.128.8.131/31 
st0.4005                up    down inet     10.144.8.131/31 
Cause:

The errors and tunnel Down state are most likely due to Device Date and Time not being current or Date and Time being outside PKI Certificate Validity range.

Compare system time with certificate validity:

root@SRX> show system uptime
Current time: 2020-02-22 22:23:30 UTC
Time Source:  LOCAL CLOCK
System booted: 2020-02-21 21:16:02 UTC (1d 01:07 ago)
Protocols started: 2020-02-21 21:17:00 UTC (1d 01:06 ago)
Last configured: 2021-06-08 07:05:44 UTC (-8:-42:-14 ago) by root
10:23PM  up 1 day,  1:07, 1 users, load averages: 0.45, 0.37, 0.29

root@SRX> show security pki local-certificate certificate-id PKI_Certificate
LSYS: root-logical-system
Certificate identifier: PKI_Certificate
  Issued to: PKI_Certificate, Issued by: DC = net, DC = Juniper, DC = CA, CN = CA-WIN-PKI-SERVER-CA
  Validity:
    Not before: 02-22-2021 18:40 UTC
    Not after: 02-22-2023 18:40 UTC
  Public key algorithm: rsaEncryption(2048 bits)
  Keypair Location: Keypair generated locally

Notice that the system current time is outside PKI Certificate Validity date and time.

Note: There are other possible reasons that the certificate is not valid, but this is the most likely one. Contact Support for assistance if the time is correct.

Solution:

Make sure that the system time falls within the validity time period of the PKI certificate. If you are using an NTP server, make sure that the NTP server is reachable and that the device is configured with the correct time in relation to the NTP server.

  1. To manually set the date and time:

root@SRX> set date ?
Possible completions:
  <time>               New date and time (YYYYMMDDhhmm.ss)
  ntp                  Set system date and time using Network Time Protocol servers

root@SRX> set date 202106080752.14
Tue Jun  8 07:52:14 UTC 2021
  1. To configure the NTP server:
root@SRX> ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=61 time=1.909 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=61 time=1.721 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=61 time=1.640 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=61 time=1.687 ms
^C
--- 10.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.640/1.739/1.909/0.102 ms

root@SRX> edit

[edit]
root@SRX# set system ntp server 10.1.1.1

[edit]
root@SRX# commit and-quit 
commit complete
Exiting configuration mode

root@SRX> show system uptime 
Current time: 2021-06-08 07:52:28 UTC
Time Source:  LOCAL CLOCK 
System booted: 2021-06-07 05:57:06 UTC (1d 01:55 ago)
Protocols started: 2021-06-07 05:58:04 UTC (1d 01:54 ago)
Last configured: 2021-06-08 07:49:35 UTC (00:02:53 ago) by root
 7:52AM  up 1 day,  1:55, 1 users, load averages: 0.23, 0.27, 0.24

root@SRX> show security pki local-certificate certificate-id PKI_Certicate                   
LSYS: root-logical-system
Certificate identifier: PKI_Certicate
  Issued to: T16LPM_GW3new, Issued by: DC = net, DC = Juniper, DC = CA, CN = CA-WIN-PKI-SERVER-CA
  Validity:
    Not before: 02-22-2021 18:40 UTC
    Not after: 02-22-2023 18:40 UTC
  Public key algorithm: rsaEncryption(2048 bits)
  Keypair Location: Keypair generated locally

Now you can see that the system time is between the PKI Certificate Validity Date and Time.

root@SRX> request security pki local-certificate verify certificate-id PKI_Certificate
Local certificate PKI_Certificate verification success
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search