API tools faq
paste
Advertisement
ddivins

SRX ACME Certs

ddivins
Apr 5th, 2025 (edited)
70
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.24 KB | None | 0 0
raw download clone embed print report
  1. ACME Certificate support works in 22.4R1-S1+
  2.  
  3. The SRX supports the http-01 ACME challenge.  When doing an ACME enroll, the SRX will spin up a port 80 listener and host the requested file itself, then terminate the daemon.  As such, you need to have http enabled from outside world in your Protect-RE and enabled on your exterior zone.  Your SRX will also need to be DNS reachable to the domain name you are enrolling.  Thus, this is difficult on an internal FW for testing.
  4.  
  5. Once the FW is DNS reachable (dynamic dns works fine) and ready to not drop port 80, you can configure ACME:
  6.  
  7. request security pki generate-key-pair size 2048 type rsa acme-key-id ACME-KEY
  8. request security pki generate-key-pair size 2048 type rsa certificate-id ACME-RA-CERT
  9.  
  10. set security pki ca-profile ISRG_Root_X1 ca-identity ISRG_Root_X1
  11. set security pki ca-profile ISRG_Root_X1 pre-load
  12. set security pki ca-profile ISRG_Root_X1 revocation-check disable
  13. set security pki ca-profile Lets_Encrypt ca-identity Lets_Encrypt
  14. set security pki ca-profile Lets_Encrypt enrollment url https://acme-v02.api.letsencrypt.org/directory
  15. set security pki traceoptions file pki.log
  16. set security pki traceoptions file size 10m
  17. set security pki traceoptions file files 3
  18. set security pki traceoptions flag all
  19. set security pki traceoptions flag acme-enrollment
  20.  
  21. request security pki local-certificate enroll acme acme-key-id ACME-KEY certificate-id ACME-RA-CERT ca-profile Lets_Encrypt domain-names vpn.domain.com email "[email protected]" letsencrypt-enrollment yes terms-of-service agree
  22.  
  23. You can then set auto-re-enrollment
  24.  
  25. set security pki auto-re-enrollment acme certificate-id ACME-RA-CERT re-enroll-time days 25
  26. set security pki auto-re-enrollment acme certificate-id ACME-RA-CERT acme-key-id ACME-KEY
  27. set security pki auto-re-enrollment acme certificate-id ACME-RA-CERT ca-profile-name Lets_Encrypt
  28. set security pki auto-re-enrollment acme certificate-id ACME-RA-CERT re-enroll-trigger-time-percentage 72
  29. set security pki auto-re-enrollment acme certificate-id ACME-RA-CERT re-generate-keypair
  30. set security pki acme-account-key acme-key-id ACME-KEY
  31.  
  32. Please note depending on Lets Encrypt you may have to add a new cert chain to the SRX as intermediate certs may change on how they sign.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!