Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to load a PKI x.509 certificate on a J Series or SRX Series device

0

0

Article ID: KB10176 KB Last Updated: 05 Mar 2017Version: 5.0
Summary:
How to load a PKI x.509 certificate on a J Series or SRX Series device
Symptoms:

Solution:
This article assumes that a certificate request was generated and sent to a Certificate Authority (CA) as detailed in KB10175.  Once the local certificate, CA certificate and CRL are received from the CA, follow the steps below to load the objects into the J Series or SRX Series device.

Step 1. Upload local certificate, CA cert and CRL which was sent by CA into system storage.  You can use the file copy command assuming the certificates have been uploaded onto an FTP server.

    Syntax:
      file copy <ftp://ftp-server-ip/filename> <local-filename>

    Example:
      root@CORPORATE> file copy ftp://172.19.50.129/certnew.cer local-cert.cer   
      /var/tmp//...transferring.file.........MUp7zd/100% of 1445  B 1224 kBps

      root@CORPORATE> file copy ftp://172.19.50.129/CA-certnew.cer ca-cert.cer   
      /var/tmp//...transferring.file.........thvn0z/100% of 1049  B 2247 kBps

      root@CORPORATE> file copy ftp://172.19.50.129/certcrl.crl certcrl.crl      
      /var/tmp//...transferring.file.........CcEeI1/100% of  401  B 1604 kBps

      root@CORPORATE> file list
      /cf/root/:
      .cshrc
      .history
      .login
      .profile
      ca-cert.cer
      certcrl.crl
      local-cert.cer
Step 2. Load local cert into system.
    Syntax:
      request security pki local-certificate load certificate-id <cert-id-name> filename <local-cert-filename>

    Example:
      root@CORPORATE> request security pki local-certificate load certificate-id ms-cert filename local-cert.cer
      Local certificate loaded successfully

      root@CORPORATE> show security pki local-certificate detail
      Certificate identifier: ms-cert
        Certificate version: 3
        Serial number: 24ea0e4b000000000010
        Issuer:
          Organization: JuniperNetworks, Organizational unit: JTAC, Country: US, State: CA, Locality: Sunnyvale,
          Common name: TACLAB
        Subject:
          Organization: Juniper Networks, Organizational unit: Sales, Country: US, State: CA, Locality: Sunnyvale,
          Common name: John Doe
        Alternate subject: email empty, fqdn empty, 172.19.51.162
        Validity:
          Not before: 10-29-2007 20:36
          Not after: 10-29-2008 20:46
        Public key algorithm: rsaEncryption(1024 bits)
          30:81:89:02:81:81:00:da:81:09:85:4d:db:91:7b:8b:de:bf:81:a6
          3d:df:af:90:35:36:a8:0b:ee:47:7b:24:05:23:6a:f7:10:62:af:77
          b6:31:06:29:d7:02:19:25:67:ef:33:a3:8a:e7:3c:b8:d0:a4:f1:2a
          99:bb:25:56:8c:75:0b:78:00:94:8e:73:2c:fc:dd:77:e1:e8:24:97
          4a:03:b6:21:2e:53:d6:52:b4:34:fa:cb:16:ec:78:3d:dd:fc:99:d3
          87:64:d1:d4:41:14:09:34:0f:30:f2:44:71:ed:2c:cd:75:c9:9d:11
          d7:a7:8a:70:62:4d:c2:44:73:40:10:ea:10:0a:29:02:03:01:00:01
        Signature algorithm: sha1WithRSAEncryption
        Distribution CRL:
          ldap:///CN=TACLAB,CN=TACLABSRV1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=tacdomain,DC=com?

      certificateRevocationList?base?objectclass=cRLDistributionPoint
          http://taclabsrv1.tacdomain.com/CertEnroll/TACLAB.crl
        Fingerprint:
          34:72:97:ac:3e:90:b5:72:51:f7:73:17:a6:2b:71:9d:95:6b:42:eb (sha1)
          f9:23:8e:ef:a3:19:b0:d5:de:bf:17:9c:90:00:f4:31 (md5)
Step 3. Load CA cert into system.
    Syntax:
      request security pki ca-certificate load ca-profile <ca-profile-name> filename <ca-cert-filename>

    Example:
      root@CORPORATE> request security pki ca-certificate load ca-profile juniper-ca filename ca-cert.cer   
      Fingerprint:
        1b:02:cc:cb:0f:d3:14:39:51:aa:0f:ff:52:d3:38:94:b7:11:86:30 (sha1)
        90:60:53:c0:74:99:f5:da:53:d0:a0:f3:b0:23:ca:a3 (md5)
      Do you want to load this CA certificate ? [yes,no] (no) yes

      CA certificate for profile juniper-ca loaded successfully

      root@CORPORATE> show security pki ca-certificate detail
      Certificate identifier: juniper-ca
        Certificate version: 3
        Serial number: 44b033d1e5e158b44597d143bbfa8a13
        Issuer:
          Organization: JuniperNetworks, Organizational unit: JTAC, Country: US, State: CA, Locality: Sunnyvale,
          Common name: TACLAB
        Subject:
          Organization: JuniperNetworks, Organizational unit: JTAC, Country: US, State: CA, Locality: Sunnyvale,
          Common name: TACLAB
        Validity:
          Not before: 09-25-2007 20:32
          Not after: 09-25-2012 20:41
        Public key algorithm: rsaEncryption(1024 bits)
          30:81:89:02:81:81:00:d1:9e:6f:f4:49:c8:13:74:c3:0b:49:a0:56
          11:90:df:3c:af:56:29:58:94:40:74:2b:f8:3c:61:09:4e:1a:33:d0
          8d:53:34:a4:ec:5b:e6:81:f5:a5:1d:69:cd:ea:32:1e:b3:f7:41:8e
          7b:ab:9c:ee:19:9f:d2:46:42:b4:87:27:49:85:45:d9:72:f4:ae:72
          27:b7:b3:be:f2:a7:4c:af:7a:8d:3e:f7:5b:35:cf:72:a5:e7:96:8e
          30:e1:ba:03:4e:a2:1a:f2:1f:8c:ec:e0:14:77:4e:6a:e1:3b:d9:03
          ad:de:db:55:6f:b8:6a:0e:36:81:e3:e9:3b:e5:c9:02:03:01:00:01
        Signature algorithm: sha1WithRSAEncryption
        Distribution CRL:
          ldap:///CN=TACLAB,CN=TACLABSRV1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=tacdomain,DC=com?

      certificateRevocationList?base?objectclass=cRLDistributionPoint
          http://taclabsrv1.tacdomain.com/CertEnroll/TACLAB.crl
        Use for key: CRL signing, Certificate signing, Non rupudiation
        Fingerprint:
          1b:02:cc:cb:0f:d3:14:39:51:aa:0f:ff:52:d3:38:94:b7:11:86:30 (sha1)
          90:60:53:c0:74:99:f5:da:53:d0:a0:f3:b0:23:ca:a3 (md5)

Step 4.  Load CRL if necessary.
    Syntax:
      request security pki crl load ca-profile <ca-profile-name> filename <crl-filename>

    Example:
      root@CORPORATE> request security pki crl load ca-profile juniper-ca filename certcrl.crl
      CRL for CA profile juniper-ca loaded successfully

      root@CORPORATE> show security pki crl    
      CA profile: juniper-ca
        CRL version: V00000001
        CRL issuer: emailAddress = ca-admin@juniper.net, C = US, ST = CA, L = Sunnyvale, O = JuniperNetworks, OU = JTAC, CN = TACLAB
        Effective date: 10-23-2007 20:32
        Next update: 10-31-2007 08:52

Step 5. Verify certificates
    Syntax:
      request security pki local-certificate verify certificate-id <cert-id-name>
      request security pki ca-certificate verify ca-profile <ca-profile-name>

    Example:
      root@CORPORATE> request security pki local-certificate verify certificate-id ms-cert    
      Local certificate ms-cert verification success

      root@CORPORATE> request security pki ca-certificate verify ca-profile juniper-ca   
      CA certificate juniper-ca verified successfully


For additional information, go to Loading a Certificate on a Juniper VPN device.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search