Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Enrolling the PKI Certificate Online using SCEP (Simple Certificate Enrollment Protocol)

0

0

Article ID: KB22073 KB Last Updated: 24 Oct 2011Version: 1.0
Summary:
This article provides information on how to enroll CA and Local Certificate using SCEP.
Symptoms:
  • This article explains how to enroll the PKI Certificate on the SRX Series platform using SCEP.

  • Microsoft Certificate Authority is being used for SCEP Enrollment.

  • SRX must be able to reach Microsoft CA and there should not be any blockage for TCP port 80 (default MS CA port), or the HTTP port, which is configured to work with MS CA.
Cause:

Solution:
Configuration:
set security pki ca-profile ms-ca ca-identity microsoft-2003
set security pki ca-profile ms-ca enrollment url http://172.16.145.21/certsrv/mscep/mscep.dll
set security pki ca-profile ms-ca enrollment retry 20
set security pki ca-profile ms-ca enrollment retry-interval 1800


  1. First, generate the RSA Key Pair:
    root@SRX> request security pki generate-key-pair certificate-id certid
    Generated key pair certid, key size 1024 bits
  2. Enroll the CA Certificate:
    root@SRX> request security pki ca-certificate enroll ca-profile ms-ca
    Fingerprint:
    b1:17:7b:0a:76:37:80:b3:50:2c:b6:4b:61:59:6a:7a:9a:48:33:dd (sha1)
    fe:a4:17:d0:6b:21:76:8c:d9:a4:2e:fd:e7:8c:f3:a8 (md5)
    Do you want to load the above CA certificate ? [yes,no] (no) yes

    CA certificate for profile ms-ca loaded successfully
  3. Now enroll the Local Certificate:
    root@SRX> request security pki local-certificate enroll ca-profile ms-ca certificate-id certid challenge-password aaaa domain-name srx.juniper.net email srx@juniper.net ip-address 10.10.10.10 subject DC=Juniper,CN=SRX-A,OU=Marketing,O=Juniper,L=Sunnyvale,ST=California,C=us

Verification:

root@SRX> request security pki ca-certificate verify ca-profile ms-ca
CA certificate ms-ca verified successfully

root@SRX> request security pki local-certificate verify certificate-id certid
Local certificate certid verification success


root@SRX> show security pki ca-certificate detail
Certificate identifier: ain-ca
Certificate version: 3
Serial number: 2347f2d5adf9bda64a333734bfba197b
Issuer:
Common name: JNPRCA, Domain component: net
Subject:
Common name: JNPRCA, Domain component: net
Validity:
Not before: 12-21-2010 06:10
Not after: 12-21-2015 06:19
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:dd:85:32:39:52:fd:d0:d6:e0:ec:aa
14:ad:36:be:18:39:65:9f:6d:ba:78:52:5a:be:a8:2c:43:ab:f6:de
4b:8e:4d:28:ba:93:ac:31:01:fe:3c:e4:86:4e:2a:1a:e8:ee:80:5c
fd:a5:29:59:b9:f6:95:87:c8:ea:0e:52:50:c2:c5:54:b1:b3:2c:d9
4c:4c:05:78:44:66:38:80:10:c9:b7:2b:6d:b9:16:72:02:df:b7:b0
38:62:a1:ef:36:16:e9:63:44:d6:0b:4e:ae:ba:37:b9:c7:fe:ed:31
e9:10:3d:96:f9:ce:0d:f0:03:ac:01:c3:df:1b:07:91:32:d8:bd:ed
42:c9:c0:cd:2f:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///CN=JNPRCA,CN=jsrx-server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=srx-lab,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://jsrx-server1.srx-lab.jnpr.net/CertEnroll/JNPRCA.crl
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
b1:17:7b:0a:76:37:80:b3:50:2c:b6:4b:61:59:6a:7a:9a:48:33:dd (sha1)
fe:a4:17:d0:6b:21:76:8c:d9:a4:2e:fd:e7:8c:f3:a8 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started


root@SRX> show security pki local-certificate detail
Certificate identifier: certid
Certificate version: 3
Serial number: 2addcb71000000000047
Issuer:
Common name: JNPRCA, Domain component: net
Subject:
Organization: Juniper, Organizational unit: Marketing, Country: us,
State: California, Locality: Sunnyvale, Common name: SRX-A,
Domain component: Juniper
Alternate subject: "srx@juniper.net", srx.juniper.net, 10.10.10.10
Validity:
Not before: 10-20-2011 22:25
Not after: 10-20-2012 22:35
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:ab:ea:a2:cc:49:cb:f9:f3:52:19:5a:b5:10
a1:18:b5:e1:ff:c7:8b:55:a0:b2:c3:37:3e:1b:36:a9:26:c4:3b:a1
cd:8b:03:d0:c4:74:56:d4:29:1d:f1:ce:4b:9b:bf:e9:f6:f0:7e:1f
da:39:1e:e9:57:16:ac:76:e6:2a:a4:9f:9d:eb:ff:7d:c9:f8:cb:1a
a6:78:37:c9:64:8c:32:70:6c:f8:0e:36:65:d1:9c:7f:a3:63:da:b7
3f:84:98:f2:26:aa:45:78:94:7f:0d:73:d4:9d:98:57:65:15:1b:79
91:40:5d:cf:a2:0b:ac:b3:ca:76:b6:a2:09:bb:df:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///CN=JNPRCA,CN=jsrx-server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=srx-lab,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://jsrx-server1.srx-lab.jnpr.net/CertEnroll/JNPRCA.crl
Fingerprint:
3d:3b:a0:9f:e9:0d:a9:02:ec:9b:d9:53:8e:25:a9:05:0e:c9:e6:20 (sha1)
1c:7e:67:95:8a:44:bf:56:4b:0e:da:ba:a5:f2:bd:a9 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search