Memorise

Juniper SRX certificate ‘aamw-srx-cert’: certificate does not exist

error: certificate ‘aamw-srx-cert’: certificate does not exist .
error: trusted-ca ‘aamw-cloud-ca’ does not exist!
error: trusted-ca ‘aamw-secintel-ca’ does not exist!

Error:

{primary:node0}[edit]
root# commit and-quit
[edit security pki]
‘ca-profile aamw-secintel-ca’
Missing mandatory statement: ‘ca-identity’
[edit security pki]
‘ca-profile aamw-cloud-ca’
Missing mandatory statement: ‘ca-identity’
error: commit failed: (missing mandatory statements)

FIX:

{primary:node0}[edit]
root# delete security pki

{primary:node0}[edit]
root# commit and-quit
warning: You have changed enhanced services mode.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
node0:
commit complete
Exiting configuration mode

Once joined to the cluster sync this with working SRX that will update all the cert.

Location of Certificates

The certificates/key-pairs used for IKE negotiations are stored in following locations,

/var/db/certs/common/key-pair
/var/db/certs/common/local
/var/db/certs/common/certification-authority

If the cert is missing, use WinSCP to copy the /var/db/certs folder.


Categorised as: Firewall, Hardware/Software, Juniper, SRX


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.