Hi All,
SOLUTION FOUND!!
The only thing that is preventing SSL forward proxy from working seemlessly with the major browsers is as you report the SRX when doing SSL-T-SSL (generating the certificate between the firewall and the client), the SRX generates the certificate with SHA1, even though your root certificate may be signed in SHA-256
IE & Firefox are OK with SHA1 signed certs as of April 2017, however google Chrome puts up the errors
there is a solution to this!!
1. download the Google chrome Group Policy templates: https://www.chromium.org/administrators/policy-templates
2. Load the ADM or ADMX group policy template under Computer Configuration > Administrative Templates
3. Under Administrative Templates you will see settings to adjust google Chrome (see screenshot)
4. set the group policy object called "Whether SHA-1 signed certificates issued by local trust anchor" to ENABLED
5. close and restart chrome
ssl forward proxy now works across all domain computers with google chrome
## cso simple walk through
request security pki generate-key-pair certificate-id self-cert2017 size 2048 type rsa
request security pki local-certificate generate-self-signed add-ca-constraint certificate-id self-cert2017 subject "DC=whatever, DC=test, CN=whatever.test, OU=ITC,O=whatever, SN=20170422" domain-name whatever.test email test@yourdomain.com.au digest sha-256
show security pki local-certificate
request security pki ca-certificate ca-profile-group load ca-group-name cag2017 filename default
## from config menu:
set services ssl traceoptions file ssl-proxy
set services ssl traceoptions flag all
set services ssl proxy profile test-sslp trusted-ca cag2017
set services ssl proxy profile test-sslp root-ca self-cert2017
set services ssl proxy profile test-sslp actions ignore-server-auth-failure
set services ssl proxy profile test-sslp actions log all
set services ssl proxy profile test-sslp actions log errors
set security policies from-zone trust to-zone untrust policy outbound-ssl match source-address any
set security policies from-zone trust to-zone untrust policy outbound-ssl match destination-address any
set security policies from-zone trust to-zone untrust policy outbound-ssl match application junos-https
set security policies from-zone trust to-zone untrust policy outbound-ssl then permit application-services ssl-proxy profile-name test-sslp
commit
## Now export the certificate from the firewall for import into Windows (for ie and chrome) and Firefox
request security pki local-certificate export certificate-id self-cert2017 type pem filename /cf/var/db/certs/common/local/srx-root-ca2017.pem <--- physical
request security pki local-certificate export certificate-id self-cert2017 type pem filename /cf/var/db/certs/srx-root-ca2017.pem <--- vSRX
## SCP into the firewall and grab the .pem file and rename it to .crt
## import the .crt file into machine TRUSTED ROOT CERTIFICATE AUTHORITIES