This article provides information on how to enroll CA and Local Certificate using SCEP.
Configuration:
set security pki ca-profile ms-ca ca-identity microsoft-2003
set security pki ca-profile ms-ca enrollment url http://172.16.145.21/certsrv/mscep/mscep.dll
set security pki ca-profile ms-ca enrollment retry 20
set security pki ca-profile ms-ca enrollment retry-interval 1800
- First, generate the RSA Key Pair:
root@SRX> request security pki generate-key-pair certificate-id certid
Generated key pair certid, key size 1024 bits
- Enroll the CA Certificate:
root@SRX> request security pki ca-certificate enroll ca-profile ms-ca
Fingerprint:
b1:17:7b:0a:76:37:80:b3:50:2c:b6:4b:61:59:6a:7a:9a:48:33:dd (sha1)
fe:a4:17:d0:6b:21:76:8c:d9:a4:2e:fd:e7:8c:f3:a8 (md5)
Do you want to load the above CA certificate ? [yes,no] (no) yes
CA certificate for profile ms-ca loaded successfully
- Now enroll the Local Certificate:
root@SRX> request security pki local-certificate enroll ca-profile ms-ca certificate-id certid challenge-password aaaa domain-name srx.juniper.net email srx@juniper.net ip-address 10.10.10.10 subject DC=Juniper,CN=SRX-A,OU=Marketing,O=Juniper,L=Sunnyvale,ST=California,C=us
Verification:
root@SRX> request security pki ca-certificate verify ca-profile ms-ca
CA certificate ms-ca verified successfully
root@SRX> request security pki local-certificate verify certificate-id certid
Local certificate certid verification success
root@SRX> show security pki ca-certificate detail
Certificate identifier: ain-ca
Certificate version: 3
Serial number: 2347f2d5adf9bda64a333734bfba197b
Issuer:
Common name: JNPRCA, Domain component: net
Subject:
Common name: JNPRCA, Domain component: net
Validity:
Not before: 12-21-2010 06:10
Not after: 12-21-2015 06:19
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:dd:85:32:39:52:fd:d0:d6:e0:ec:aa
14:ad:36:be:18:39:65:9f:6d:ba:78:52:5a:be:a8:2c:43:ab:f6:de
4b:8e:4d:28:ba:93:ac:31:01:fe:3c:e4:86:4e:2a:1a:e8:ee:80:5c
fd:a5:29:59:b9:f6:95:87:c8:ea:0e:52:50:c2:c5:54:b1:b3:2c:d9
4c:4c:05:78:44:66:38:80:10:c9:b7:2b:6d:b9:16:72:02:df:b7:b0
38:62:a1:ef:36:16:e9:63:44:d6:0b:4e:ae:ba:37:b9:c7:fe:ed:31
e9:10:3d:96:f9:ce:0d:f0:03:ac:01:c3:df:1b:07:91:32:d8:bd:ed
42:c9:c0:cd:2f:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///CN=JNPRCA,CN=jsrx-server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=srx-lab,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://jsrx-server1.srx-lab.jnpr.net/CertEnroll/JNPRCA.crl
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
b1:17:7b:0a:76:37:80:b3:50:2c:b6:4b:61:59:6a:7a:9a:48:33:dd (sha1)
fe:a4:17:d0:6b:21:76:8c:d9:a4:2e:fd:e7:8c:f3:a8 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
root@SRX> show security pki local-certificate detail
Certificate identifier: certid
Certificate version: 3
Serial number: 2addcb71000000000047
Issuer:
Common name: JNPRCA, Domain component: net
Subject:
Organization: Juniper, Organizational unit: Marketing, Country: us,
State: California, Locality: Sunnyvale, Common name: SRX-A,
Domain component: Juniper
Alternate subject: "srx@juniper.net", srx.juniper.net, 10.10.10.10
Validity:
Not before: 10-20-2011 22:25
Not after: 10-20-2012 22:35
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:ab:ea:a2:cc:49:cb:f9:f3:52:19:5a:b5:10
a1:18:b5:e1:ff:c7:8b:55:a0:b2:c3:37:3e:1b:36:a9:26:c4:3b:a1
cd:8b:03:d0:c4:74:56:d4:29:1d:f1:ce:4b:9b:bf:e9:f6:f0:7e:1f
da:39:1e:e9:57:16:ac:76:e6:2a:a4:9f:9d:eb:ff:7d:c9:f8:cb:1a
a6:78:37:c9:64:8c:32:70:6c:f8:0e:36:65:d1:9c:7f:a3:63:da:b7
3f:84:98:f2:26:aa:45:78:94:7f:0d:73:d4:9d:98:57:65:15:1b:79
91:40:5d:cf:a2:0b:ac:b3:ca:76:b6:a2:09:bb:df:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///CN=JNPRCA,CN=jsrx-server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=srx-lab,DC=jnpr,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
http://jsrx-server1.srx-lab.jnpr.net/CertEnroll/JNPRCA.crl
Fingerprint:
3d:3b:a0:9f:e9:0d:a9:02:ec:9b:d9:53:8e:25:a9:05:0e:c9:e6:20 (sha1)
1c:7e:67:95:8a:44:bf:56:4b:0e:da:ba:a5:f2:bd:a9 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started