Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates
Use the show security pki local-certificate CLI command
to check your local certificates. Ensure that you are within the certificate’s
valid dates. The ssl-inspect-ca certificate is used for
SSL proxy. Show below are some examples. Your output may look different
as these are dependent on your setup and location.
user@host> show security pki local-certificate
Certificate identifier: ssl-inspect-ca
Issued to: www.juniper_self.net, Issued by: CN = www.juniper_self.net, OU = IT
, O = Juniper Networks, L = xxxxx, ST = xxxxx, C = IN
Validity:
Not before: 11-24-2015 22:33 UTC
Not after: 11-22-2020 22:33 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-srx-cert
Issued to: xxxx-xxxx_xxx, Issued by: C = US, O = Juniper Ne
tworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX dev
ices, emailAddress = xxx@juniper.net
Validity:
Not before: 10-30-2015 21:56 UTC
Not after: 01-18-2038 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)Use the show security pki ca-certificate command
to check your CA certificates. The argon-ca certificate
is the client certificate’s CA while the argon-secintel-ca is the server certificate’s CA. Ensure that you are within
the certificate’s valid dates.
root@host> show security pki ca-certificate
Certificate identifier: argon-ca
Issued to: SecIntel (junipersecurity.net) subCA for SRX devices, Issued by: C
= US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.ne
t) CA, emailAddress = xxx@juniper.net
Validity:
Not before: 05-19-2015 22:12 UTC
Not after: 05- 1-2045 15:00 UTC
Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: argon-secintel-ca
Issued to: SecIntel (junipersecurity.net) CA, Issued by: C = US, O = Juniper N
etworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) CA, emailAddress
= xxx@juniper.net
Validity:
Not before: 05-19-2015 03:22 UTC
Not after: 05-16-2045 03:22 UTC
Public key algorithm: rsaEncryption(2048 bits)When you enroll an SRX Series Firewall, the ops script installs two CA certificates: one for the
client and one for the server. Client-side CA certificates are associated with serial numbers.
Use the show security pki local-certificate detail CLI command to get your
device’s certificate details and serial number.
user@host> show security pki local-certificate detail
Certificate identifier: aamw-srx-cert
Certificate version: 3
Serial number: xxxxxxxxxx
Issuer:
Organization: Juniper Networks Inc, Organizational unit: SecIntel, Country: US,
Common name: SecIntel (junipersecurity.net) subCA for SRX devices
Subject:
Organization: xxxxxxxxxx, Organizational unit: SRX, Country: US,
Common name: xxxxxxxxxx
Subject string:
C=US, O=xxxxxxxx, OU=SRX, CN=xxxxxxxx, emailAddress=secintel-ca@juniper.net
Alternate subject: secintel-ca@juniper.net, fqdn empty, ip empty
Validity:
Not before: 11-23-2015 23:08 UTC
Not after: 01-18-2038 15:00 UTC
Then use the show security pki crl detail CLI command to make sure your serial
number is not in the Certificate Revocation List (CRL). If your serial number is listed in the
CRL then that SRX Series Firewall cannot connect to the cloud server.
user@host> show security pki crl detail
CA profile: aamw-ca
CRL version: V00000001
CRL issuer: C = US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX devices, emailAddress = secintel-ca@juniper.net
Effective date: 11-23-2015 23:16 UTC
Next update: 11-24-2015 23:16 UTC
Revocation List:
Serial number Revocation date
xxxxxxxxxxxxxxxxx 10-26-2015 17:43 UTC
xxxxxxxxxxxxxxxxx 11- 3-2015 19:07 UTC
...