This article provides information about Certificate-based (PKI) VPN, via SCEP (Simple Certificate Enrollment Protocol), in a Junos device.
Information about Certificate-based (PKI) VPN, via SCEP (Simple Certificate Enrollment Protocol), in a Junos device.
With Simple Certificate Enrollment Protocol (SCEP), you can configure a Juniper Networks device to obtain a certificate authority (CA) certificate online and start the online enrollment for the specified certificate ID. The CA public key verifies certificates from remote peers.
Example: Enrolling a Local Certificate Online Using SCEP
Before you begin:
- Generate a public and private key pair:
[edit]
root@SRX# run request security pki generate-key-pair certificate-id mylocalcert
Generated key pair mylocalcert, key size 1024 bits
- Configure a certificate authority profile:
[edit security]
root# show
pki {
ca-profile mycaprofile {
ca-identity 172.27.201.121;
enrollment {
url http://172.27.201.121/certsrv/mscep/mscep.dll;
}
revocation-check {
disable;
}
}
traceoptions {
file pkivpn;
flag all;
}
}
- Commit the Configuration.
root@SRX# commit - Enroll the CA certificate.
[edit] root@SRX# run request security pki ca-certificate enroll ca-profile mycaprofile
Overview:
In this example, the Juniper Networks device is configured to obtain a local certificate online and start the online enrollment for the specified certificate ID with SCEP. The CA profile name is specified as
mycaprofile and the CA location as
http://172.27.201.121/certsrv/mscep/mscep.dll.
The
request security pki local-certificate enroll command is used to start the online enrollment for the specified certificate ID. You must specify the CA profile name (for example, mycaprofile), the certificate ID corresponding to a previously generated key-pair (for example, mylocalcert), and the following information:
Note: SCEP sends a PKCS #10 format certificate request enveloped in the PKCS #7 format. - The challenge CA password for certificate enrollment and revocation; for example, if the CA does not provide the challenge password, then specify your own password.

- At least one of the following values have to be specified:
- The domain name to identify the certificate owner in IKE negotiations; for example, qqq.juniper.net.
- The identity of the certificate owner for IKE negotiation, with the e-mail statement; for example, qqq@juniper.net.
- The IP address, if the device is configured for a static IP address; for example, 10.11.11.11.
- Specify the subject name in the distinguished name format within quotation marks, inclusive of the domain component (DC), common name (CN), organizational unit name (OU), organization name (O), locality (L), state (ST), and country (C).
root@SRX#run request security pki local-certificate enroll ca-profile mycaprofile certificate-id mylocalcert challenge-password 78435D51CF2CCEFC ip-address 10.11.11.11 subject
"DC=Lab,CN=SRX,OU=PTAC,O=Juniper,L=SDB9,ST=MH,C=US"
Once the device certificate is obtained and the online enrollment begins for the certificate ID, the command is asynchronously processed.
Verification: