Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[SRX/J-Series] Certificate-based (PKI) VPN using SCEP (Simple Certificate Enrollment Protocol) in a Junos device
Symptoms:
Cause:
Solution:
With Simple Certificate Enrollment Protocol (SCEP), you can configure a Juniper Networks device to obtain a certificate authority (CA) certificate online and start the online enrollment for the specified certificate ID. The CA public key verifies certificates from remote peers.
Example: Enrolling a Local Certificate Online Using SCEP
Before you begin:
- Generate a public and private key pair:
[edit]
root@SRX# run request security pki generate-key-pair certificate-id mylocalcert
Generated key pair mylocalcert, key size 1024 bits - Configure a certificate authority profile:
[edit security]
root# show
pki {
ca-profile mycaprofile {
ca-identity 172.27.201.121;
enrollment {
url http://172.27.201.121/certsrv/mscep/mscep.dll;
}
revocation-check {
disable;
}
}
traceoptions {
file pkivpn;
flag all;
}
}
- Commit the Configuration.
root@SRX# commit - Enroll the CA certificate.
[edit] root@SRX# run request security pki ca-certificate enroll ca-profile mycaprofile
Overview:
In this example, the Juniper Networks device is configured to obtain a local certificate online and start the online enrollment for the specified certificate ID with SCEP. The CA profile name is specified as mycaprofile and the CA location as http://172.27.201.121/certsrv/mscep/mscep.dll.
The request security pki local-certificate enroll command is used to start the online enrollment for the specified certificate ID. You must specify the CA profile name (for example, mycaprofile), the certificate ID corresponding to a previously generated key-pair (for example, mylocalcert), and the following information:
Note: SCEP sends a PKCS #10 format certificate request enveloped in the PKCS #7 format.
- The challenge CA password for certificate enrollment and revocation; for example, if the CA does not provide the challenge password, then specify your own password.
- At least one of the following values have to be specified:
- The domain name to identify the certificate owner in IKE negotiations; for example, qqq.juniper.net.
- The identity of the certificate owner for IKE negotiation, with the e-mail statement; for example, qqq@juniper.net.
- The IP address, if the device is configured for a static IP address; for example, 10.11.11.11.
- Specify the subject name in the distinguished name format within quotation marks, inclusive of the domain component (DC), common name (CN), organizational unit name (OU), organization name (O), locality (L), state (ST), and country (C).
root@SRX#run request security pki local-certificate enroll ca-profile mycaprofile certificate-id mylocalcert challenge-password 78435D51CF2CCEFC ip-address 10.11.11.11 subject
"DC=Lab,CN=SRX,OU=PTAC,O=Juniper,L=SDB9,ST=MH,C=US"
Verification:
Related Links
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search