Juniper TLS certificate install
In the fundraising environment, we use certificates from the pre-existing Puppet certificate authority to encrypt syslog traffic. We used the Puppet CA to generate a certificate for the SRX routers, so they can log securely to the fundraising central loggers.
Preparation
Generate a client certificate
frpm1001:~$ sudo puppet cert generate pfw-codfw.wikimedia.org
Copy the relevant certificates to the router (this assumes read permissions to /var/lib/puppet/ssl/* and pre-existing destination directories on the pfw)
frpm1001:~$ scp /var/lib/puppet/ssl/certs/ca.pem pfw3-codfw.wikimedia.org:certs/ frpm1001:~$ scp /var/lib/puppet/ssl/certs/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:certs/ frpm1001:~$ scp /var/lib/puppet/ssl/private_keys/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:private_keys/
Certificate reinstall/install
pfw3-codfw> clear security pki ca-certificate ca-profile frack-ca-profile [no output]
pfw3-codfw> request security pki ca-certificate load ca-profile frack-ca-profile filename /var/tmp/ssl/certs/ca.pem node0: -------------------------------------------------------------------------- Fingerprint: 49:98:40:62:4f:a2:f7:41:6f:4c:b2:5b:0e:81:6a:f5:0b:9a:49:ad (sha1) 82:76:6e:43:ee:36:48:1c:c3:d2:ae:a3:fe:bd:2f:b2 (md5) CA certificate for profile frack-ca-profile loaded successfully
pfw3-codfw> clear security pki local-certificate certificate-id pfw-codfw [no output]
pfw3-codfw> clear security pki key-pair certificate-id pfw-codfw node0: -------------------------------------------------------------------------- Key pair deleted successfully
pfw3-codfw> request security pki local-certificate load certificate-id pfw-codfw filename /var/tmp/ssl/certs/pfw-codfw.wikimedia.org.pem key /var/tmp/ssl/private_keys/pfw-codfw.wikimedia.org.pem node0: -------------------------------------------------------------------------- Local certificate loaded successfully
pfw3-codfw> clear services ssl initiation counters [no output]
Verification
pfw3-codfw> show services ssl certificate detail [long output]
Cleanup
pfw3-codfw> file delete-directory /var/tmp/ssl recurse [no output]
See also
task T312601 - Fundraising pfw rsyslog TLS errors
task T334676 - Refresh client certificate for central logging on pfw's