You are browsing a read-only backup copy of Wikitech. The primary site can be found at wikitech.wikimedia.org

Juniper TLS certificate install

From Wikitech-static
Revision as of 05:46, 24 August 2022 by imported>Ayounsi (Add relevant task)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

In the fundraising environment, we use certificates from the pre-existing Puppet certificate authority to encrypt syslog traffic. We used the Puppet CA to generate a certificate for the SRX routers, so they can log securely to the fundraising central loggers.

Preparation

Generate a client certificate 

frpm1001:~$ sudo puppet cert generate pfw-codfw.wikimedia.org

Copy the relevant certificates to the router (this assumes read permissions to /var/lib/puppet/ssl/* and pre-existing destination directories on the pfw) 

frpm1001:~$ scp /var/lib/puppet/ssl/certs/ca.pem pfw3-codfw.wikimedia.org:certs/
frpm1001:~$ scp /var/lib/puppet/ssl/certs/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:certs/
frpm1001:~$ scp /var/lib/puppet/ssl/private_keys/pfw-codfw.wikimedia.org.pem pfw3-codfw.wikimedia.org:private_keys/

Certificate reinstall/install

pfw3-codfw> clear security pki ca-certificate ca-profile frack-ca-profile

[no output]

pfw3-codfw> request security pki ca-certificate load ca-profile frack-ca-profile filename /var/tmp/ssl/certs/ca.pem

node0:
--------------------------------------------------------------------------
Fingerprint:
  49:98:40:62:4f:a2:f7:41:6f:4c:b2:5b:0e:81:6a:f5:0b:9a:49:ad (sha1)
  82:76:6e:43:ee:36:48:1c:c3:d2:ae:a3:fe:bd:2f:b2 (md5)
CA certificate for profile frack-ca-profile loaded successfully

pfw3-codfw> clear security pki local-certificate certificate-id pfw-codfw

[no output]

pfw3-codfw> clear security pki key-pair certificate-id pfw-codfw

node0:
--------------------------------------------------------------------------
Key pair deleted successfully

pfw3-codfw> request security pki local-certificate load certificate-id pfw-codfw filename /var/tmp/ssl/certs/pfw-codfw.wikimedia.org.pem key /var/tmp/ssl/private_keys/pfw-codfw.wikimedia.org.pem

node0:
--------------------------------------------------------------------------
Local certificate loaded successfully

pfw3-codfw> clear services ssl initiation counters

[no output]

Cleanup

pfw3-codfw> file delete-directory /var/tmp/ssl recurse

[no output]

See also

task T312601 - Fundraising pfw rsyslog TLS errors

Retrieved from "https://wikitech-static.wikimedia.org/w/index.php?title=Juniper_TLS_certificate_install&oldid=593050"