Troubleshooting Juniper ATP Cloud: Checking Certificates
Use the show security pki local-certificate CLI command to check your local
certificates. Ensure that you are within the certificate’s valid dates. The
ssl-inspect-ca certificate is used for SSL proxy.
Shown
below are some examples. Your output might look different as these are dependent on your setup
and location.
show security pki local-certificate
Certificate identifier: ssl-inspect-ca
Issued to: www.juniper_self.net, Issued by: CN = www.juniper_self.net, OU = IT
, O = Juniper Networks, L = xxxxx, ST = xxxxx, C = IN
Validity:
Not before: 11-24-2015 22:33 UTC
Not after: 11-22-2020 22:33 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-srx-cert
Issued to: xxxx-xxxx_xxx, Issued by: C = US, O = Juniper Ne
tworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX dev
ices, emailAddress = xxx@juniper.net
Validity:
Not before: 10-30-2015 21:56 UTC
Not after: 01-18-2038 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)Use the show security pki ca-certificate command to check your CA
certificates. The argon-ca certificate is the client certificate’s CA while
the argon-secintel-ca is the server certificate’s CA. Ensure that you are
within the certificate’s valid dates.
root@host> show security pki ca-certificate
Certificate identifier: argon-ca
Issued to: SecIntel (junipersecurity.net) subCA for SRX devices, Issued by: C
= US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.ne
t) CA, emailAddress = xxx@juniper.net
Validity:
Not before: 05-19-2015 22:12 UTC
Not after: 05- 1-2045 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-secintel-ca
Issued to: SecIntel (junipersecurity.net) CA, Issued by: C = US, O = Juniper N
etworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) CA, emailAddress
= xxx@juniper.net
Validity:
Not before: 05-19-2015 03:22 UTC
Not after: 05-16-2045 03:22 UTC
Public key algorithm: rsaEncryption(2048 bits)When you enroll an SRX Series Firewall, the ops script installs two CA certificates: one for
the client and one for the server. Client-side CA certificates are associated with serial
numbers. Use the show security pki local-certificate detail CLI command to
get your device’s certificate details and serial number.
show security pki local-certificate detail
Certificate identifier: aamw-srx-cert
Certificate version: 3
Serial number: xxxxxxxxxx
Issuer:
Organization: Juniper Networks Inc, Organizational unit: SecIntel, Country: US,
Common name: SecIntel (junipersecurity.net) subCA for SRX devices
Subject:
Organization: xxxxxxxxxx, Organizational unit: SRX, Country: US,
Common name: xxxxxxxxxx
Subject string:
C=US, O=xxxxxxxx, OU=SRX, CN=xxxxxxxx, emailAddress=secintel-ca@juniper.net
Alternate subject: secintel-ca@juniper.net, fqdn empty, ip empty
Validity:
Not before: 11-23-2015 23:08 UTC
Not after: 01-18-2038 15:00 UTC
Then use the show security pki crl detail CLI command to make sure your
serial number is not in the Certificate Revocation List (CRL). If your serial number is listed
in the CRL then that SRX Series Firewall cannot connect to the cloud server.
show security pki crl detail
CA profile: aamw-ca
CRL version: V00000001
CRL issuer: C = US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX devices, emailAddress = secintel-ca@juniper.net
Effective date: 11-23-2015 23:16 UTC
Next update: 11-24-2015 23:16 UTC
Revocation List:
Serial number Revocation date
xxxxxxxxxxxxxxxxx 10-26-2015 17:43 UTC
xxxxxxxxxxxxxxxxx 11- 3-2015 19:07 UTC
...