Troubleshooting Verisign SSL Certificates Issue on PKI VPN Tunnel between Juniper SRX Firewalls (Cont.)

PKI based IPSec Site to Site VPN becomes more and more populous. I had a previous post "Set up PKI IPSec VPN with Verisign SSL Certificates between Juniper SRX Firewalls" which records all steps how to set this kind of IPsec VPN up.

This post is regarding some troubleshooting procedures for strange certificates issue during configuration PKI based IPSec vpn between Juniper SRX Firewalls. 

Symptoms: 

The VPN Tunnel could not be built although all procedures have been followed, generated RSA key pair, generated CSR on both SRX firewalls, submitted CSR to SSL certification provider, received certificates for both devices, received CA certificates, and imported all certificates into devices.

Debugging IKE did not give too much information. But during verify certificates, I found these strange information:

@SRX1:

root@fw-SRX1-2> show security pki ca-certificate detail node1:--------------------------------------------------------------------------
Certificate identifier: G5  Certificate version: 3  Serial number: 250ce8e030612e9f2b89f7054d7cf8fd  Issuer:    Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US  Subject:    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5  Subject string:     C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5  Validity:    Not before: 11- 8-2006 00:00 UTC    Not after: 11- 7-2021 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)    30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa    e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3    64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8    b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61    cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85    26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2    8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b    56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06    04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb    37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb    74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47    88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0    67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a    ee:53:e8:25:15:02:03:01:00:01  Signature algorithm: sha1WithRSAEncryption  Distribution CRL:     http://crl.verisign.com/pca3.crl  Authority Information Access OCSP:     http://ocsp.verisign.com  Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,  2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1  Fingerprint:    32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)    f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
Certificate identifier: G4  Certificate version: 3  Serial number: 513fb9743870b73440418d30930699ff  Issuer:    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5  Subject:    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4  Subject string:     C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4  Validity:    Not before: 10-31-2013 00:00 UTC    Not after: 10-30-2023 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)    30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39    c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53    7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94    59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53    25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da    8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27    17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac    ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44    0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48    ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d    f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2    83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a    52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c    6f:4b:3f:b0:f7:02:03:01:00:01  Signature algorithm: sha256WithRSAEncryption  Distribution CRL:     http://s1.symcb.com/pca3-g5.crl  Authority Information Access OCSP:     http://s2.symcb.com  Use for key: CRL signing, Certificate signing  Fingerprint:    ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)    23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)

From output of show command, both certificates G4 and G5 at firewall fw-SRX1-1 look ok. But they wont pass verification.

root@fw-srx1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>
{primary:node1}
root@fw-srx1-2> request security pki ca-certificate verify ca-profile G5  
node1:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>

@SRX2, same thing happened:

root@fw-SRX2-1> show security pki ca-certificate detail 
node0:
--------------------------------------------------------------------------
Certificate identifier: G5
  Certificate version: 3
  Serial number: 250ce8e030612e9f2b89f7054d7cf8fd
  Issuer:
    Organization: "VeriSign, Organizational unit: Class 3 Public Primary Certification Authority, Country: US
  Subject:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject string:
    C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="(c) 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Validity:
    Not before: 11- 8-2006 00:00 UTC
    Not after: 11- 7-2021 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:af:24:08:08:29:7a:35:9e:60:0c:aa
    e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3
    64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8
    b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61
    cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85
    26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2
    8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b
    56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06
    04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb
    37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb
    74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47
    88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0
    67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a
    ee:53:e8:25:15:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Distribution CRL:
    http://crl.verisign.com/pca3.crl
  Use for key: CRL signing, Certificate signing, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2, Code Signing, 1.3.6.1.5.5.7.3.3, Netscape Server Gated Crypto,
  2.16.840.1.113730.4.1, 2.16.840.1.113733.1.8.1, 2.16.840.1.113733.1.8.1
  Fingerprint:
    32:f3:08:82:62:2b:87:cf:88:56:c6:3d:b8:73:df:08:53:b4:dd:27 (sha1)
    f9:1f:fe:e6:a3:6b:99:88:41:d4:67:dd:e5:f8:97:7a (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started
Certificate identifier: G4
  Certificate version: 3
  Serial number: 513fb9743870b73440418d30930699ff
  Issuer:
    Organization: "VeriSign, Organizational unit: VeriSign Trust Network, Organizational unit: "(c) 2006 VeriSign, Country: US, Common name: VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:
    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
  Subject string:
    C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
  Validity:
    Not before: 10-31-2013 00:00 UTC
    Not after: 10-30-2023 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:b2:d8:05:ca:1c:74:2d:b5:17:56:39
    c5:4a:52:09:96:e8:4b:d8:0c:f1:68:9f:9a:42:28:62:c3:a5:30:53
    7e:55:11:82:5b:03:7a:0d:2f:e1:79:04:c9:b4:96:77:19:81:01:94
    59:f9:bc:f7:7a:99:27:82:2d:b7:83:dd:5a:27:7f:b2:03:7a:9c:53
    25:e9:48:1f:46:4f:c8:9d:29:f8:be:79:56:f6:f7:fd:d9:3a:68:da
    8b:4b:82:33:41:12:c3:c8:3c:cc:d6:96:7a:84:21:1a:22:04:03:27
    17:8b:1c:68:61:93:0f:0e:51:80:33:1d:b4:b5:ce:eb:7e:d0:62:ac
    ee:b3:7b:01:74:ef:69:35:eb:ca:d5:3d:a9:ee:97:98:ca:8d:aa:44
    0e:25:99:4a:15:96:a4:ce:6d:02:54:1f:2a:6a:26:e2:06:3a:63:48
    ac:b4:4c:d1:75:93:50:ff:13:2f:d6:da:e1:c6:18:f5:9f:c9:25:5d
    f3:00:3a:de:26:4d:b4:29:09:cd:0f:3d:23:6f:16:4a:81:16:fb:f2
    83:10:c3:b8:d6:d8:55:32:3d:f1:bd:0f:bd:8c:52:95:4a:16:97:7a
    52:21:63:75:2f:16:f9:c4:66:be:f5:b5:09:d8:ff:27:00:cd:44:7c
    6f:4b:3f:b0:f7:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL:
    http://s1.symcb.com/pca3-g5.crl
  Use for key: CRL signing, Certificate signing
  Fingerprint:                        
    ff:67:36:7c:5c:d4:de:4a:e1:8b:cc:e1:d7:0f:da:bd:7c:86:61:35 (sha1)
    23:d5:85:8e:bc:89:86:10:7c:b7:ac:1e:17:f7:26:c5 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

Also the certificate chain did not pass verify procedure. The error is same as SRX1 device. It seems G5 CA certificate is having issue.

root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G4  
node0:
--------------------------------------------------------------------------
CA certificate G4 verified successfully
{primary:node0}
root@fw-SRX2-1> request security pki ca-certificate verify ca-profile G5  
node0:
--------------------------------------------------------------------------
Error: Certificate Authority not found for certificate </C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5>

Both Devices CA certificate chain did not pass the verify. On SRX1, G4 and G5 CA certificate did not pass verify, and on SRX2, only G5 failed, although I imported same certificates on both devices.

Troubleshooting:

Let have a look at the files we got from Symantec Verisign:

1. ssl_certificate.crt is firewall's  certificate which is signed by Verisign CA certificate.

2. IntermediateCA.crt is CA certificate chain file which includes two certificates.

-----BEGIN CERTIFICATE-----MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJbA3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzus3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8TL9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVKFpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0TAQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2IuY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpghkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4EFgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxnyH1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4WKo8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtGQGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8tTRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTYKvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMBAAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUAA4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5KlCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZtOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/-----END CERTIFICATE-----

After saved each part of certificate chain into a file, I checked the certificate property for each certificate.

From the certificate properties, we can tell "Symantec Class 3 Secure Server CA - G4" is signed by "VeriSign Class 3 Public Primary Certification Authority - G5" and "VeriSign Class 3 Public Primary Certification Authority - G5" is signed by "Class 3 Public Primary Certification Authority"

From below output, local certificate SRX1 is signed by "Symantec Class 3 Secure Server CA - G4"

root@fw-SRX1-1> show security pki local-certificate detail
node0:
--------------------------------------------------------------------------
Certificate identifier: SRX1
  Certificate version: 3
  Serial number: 2d6f03041e93e1e97acd758ae940e6db
  Issuer:
    Organization: Symantec Corporation, Organizational unit: Symantec Trust Network, Country: US, Common name: Symantec Class 3 Secure Server CA - G4
  Subject:
    Organization: GG, Organizational unit: IT, Country: CA, State: Ontario, Locality: srx1, Common name: srx1.gg.com
  Subject string:
    C=CA, ST=Ontario, L=srx1, O=gg, OU=IT, CN=srx1.gg.com
  Alternate subject: email empty, srx1.gg.com, ip empty
  Validity:
    Not before: 01- 9-2015 00:00 UTC
    Not after: 04- 5-2018 23:59 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:9d:96:c7:76:c3:66:25:c3:ec:58:61
    ee:c9:9d:82:ae:d6:de:26:ff:50:e8:b1:a0:ce:cd:0f:1a:f2:59:56
    9f:7f:49:aa:de:88:a8:5d:4c:69:0a:5b:f0:91:a7:49:e4:9b:3b:df
    e4:0e:24:7d:23:fe:32:4b:c0:9e:a6:37:ff:0c:7b:ae:02:6b:1c:b7
    7c:79:29:e3:73:4d:4f:3d:5a:38:4a:f6:43:03:8b:b9:8e:19:ea:bb
    cd:52:00:5d:a8:b5:a8:3a:92:3c:38:06:13:32:50:56:31:3f:be:68
    a2:b7:e4:f0:2d:0c:a2:f1:0b:22:b3:ea:2a:9e:47:7b:5b:aa:cc:43
    9d:f2:4e:e5:86:9f:c8:37:fc:02:d4:66:34:93:e0:d6:6b:35:c9:5d
    25:29:90:6d:ab:8c:1e:00:a1:cb:79:27:b4:f9:26:2e:e4:22:20:28
    70:e1:51:b6:7d:4a:34:07:c9:a3:69:49:26:34:6a:0b:66:ee:0c:29
    a5:c6:14:04:fb:64:49:31:72:cb:10:15:c4:c4:2b:66:b3:8c:3d:21
    76:34:3d:6a:83:0b:50:92:fe:32:a4:0c:7b:d2:82:d2:3f:61:63:59
    8c:57:4b:c7:99:09:a0:57:45:6c:e9:fb:64:34:80:46:dc:43:ce:4d
    1b:d0:d9:0a:e3:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL:
    http://ss.symcb.com/ss.crl
  Use for key: Key encipherment, Digital signature, TLS Web Server Authentication, 1.3.6.1.5.5.7.3.1, TLS Web Client Authentication, 1.3.6.1.5.5.7.3.2
  Fingerprint:
    8a:ea:0d:e2:a9:28:65:d1:d4:e0:6d:77:7e:aa:75:7d:69:7d:1f:ab (sha1)
    c7:b2:a1:ad:36:aa:8e:40:3d:5e:c9:cb:ad:9b:3f:10 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

I checked the Symantec page "Licensing and Use of Root Certificates", and found there is another G5 certificate.

Downloaded it and checked the property from Windows:

This new G5 certificate will expire on 2036 and has same Issued to and Issued by, which means it is Root CA certificate. The old G5 will expire on 2021 and have different Issued to and Issued by , which means it is signed by another root CA certificate. Now I am kind of understand Symantec Certificate Chain by drawing following diagram:

Solutions:

Now it is quite clear, with those originate certificates sent from Symantec, I only have G5(2021) and G4 for CA certificate chain. I am missing one root certificate "Verisign Class 3 Public Primary CA".

I can either import another new ca certificate to complete this chain, or replace G5(2021) with the new G5(2036). I choose replace option.

All steps are listed in the following:

root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem  
node1:
--------------------------------------------------------------------------
error: Command aborted as CA certificate already exists. Retry after clearing the existing CA certificate

root@fw-SRX1-2> clear security pki ca-certificate ca-profile G5                                  

root@fw-SRX1-2> request security pki ca-certificate load ca-profile G5 filename /var/tmp/G5.pem  
node1:
--------------------------------------------------------------------------
Fingerprint:
  4e:b6:d5:78:49:9b:1c:cf:5f:58:1e:ad:56:be:3d:9b:67:44:a5:e5 (sha1)
  cb:17:e4:31:67:3e:e2:09:fe:45:57:93:f3:0a:fa:1c (md5)
CA certificate for profile G5 loaded successfully
root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G4
node1:
--------------------------------------------------------------------------
CA certificate G4 verified successfully

root@fw-SRX1-2> request security pki ca-certificate verify ca-profile G5  
node1:
--------------------------------------------------------------------------
CA certificate G5 verified successfully

root@fw-SRX1-2> show security pki ca-certificate node0:--------------------------------------------------------------------------
Certificate identifier: G5  Issued to: VeriSign Class 3 Public Primary Certification Authority - G5, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5  Validity:    Not before: 11- 8-2006 00:00 UTC    Not after: 07-16-2036 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)
Certificate identifier: G4  Issued to: Symantec Class 3 Secure Server CA - G4, Issued by: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5  Validity:    Not before: 10-31-2013 00:00 UTC    Not after: 10-30-2023 23:59 UTC  Public key algorithm: rsaEncryption(2048 bits)