Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Juniper SRX Compatibility #208

Open
xrpixer opened this issue Oct 5, 2022 · 3 comments
Open

Juniper SRX Compatibility #208

xrpixer opened this issue Oct 5, 2022 · 3 comments

Comments

@xrpixer
Copy link

xrpixer commented Oct 5, 2022

Hello,

I've been working on Juniper SRX Auto VPNs, and am wanting a SCEP server that isn't windows.
When trying to enroll a Juniper SRX, i'm getting a cannot decrypt data error -

level=info ts=2022-10-05T04:54:19.762209122Z caller=service_logging.go:47 component=scep
_service method=PKIOperation err="pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, A
ES-256-CBC and AES-128-GCM supported" took=698.34µs

level=info ts=2022-10-05T04:54:19.762850876Z caller=endpoint.go:186 op=PKIOperation erro
r=null took=1.355847ms

The SRX is using -
SCEP Encryption Algorithm = DES3
SCEP Digest Algorithm = SHA1
Digest = SHA1

I've set the challenge password to something really simple and short to make sure that's correct, but still not getting any further.
This is on a Debian 11 server, tested using both what's in the repo and the pre-compiled linux server from github.

Has anyone else given this a try? Seems like a great use case for Firewall SCEP, there's very few SCEP servers available that aren't a windows server.

Any help is appreciated,
Thanks!
@jessepeterson
Copy link
Member

Hello! That's interesting. Are you able to change the encryption algorithm that the SRX uses to talk to SCEP in any way? What does Juniper have to say about this issue?

@xrpixer
Copy link
Author

xrpixer commented Oct 7, 2022

I'm not sure exactly which part the SCEP server can't decrypt, but what the Juniper SRX has for options -

Digest:
> request security pki local-certificate enroll digest ?
Possible completions:
sha-1 SHA-1 digests (default value)
sha-256 SHA-256 digests

SCEP Digest:
> request security pki local-certificate enroll scep-digest-algorithm ?
Possible completions:
md5 MD-5 digest
sha1 SHA-1 digest (default)

SCEP Encryption:
> request security pki local-certificate enroll scep-encryption-algorithm ?
Possible completions:
des DES Encryption
des3 DES-3 Encryption (default)

Plus the key that it's using is an RSA key that's in DER format.

I've got a support ticket open with Juniper but they hasn't led anywhere so far.

@t-jonesy
Copy link

t-jonesy commented Oct 25, 2022
edited
Loading

I was hoping to do the same, but it looks like it's not configurable on the SRX.

SCEP sends a PKCS #10 format certificate request enveloped in the PKCS #7 format.

from: https://supportportal.juniper.net/s/article/SRX-J-Series-Certificate-based-PKI-VPN-using-SCEP-Simple-Certificate-Enrollment-Protocol-in-a-Junos-device?language=en_US

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jessepeterson @xrpixer @t-jonesy