Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Manual Mode SCEP Operation

0

0

Article ID: KB5804 KB Last Updated: 31 Aug 2010Version: 3.0
Summary:
Manual Mode SCEP Operation
Symptoms:
Request certificate for the first time Manual Mode SCEP Supposed to receive confirmation of a certificate request with a fingerprint
Solution:

Manual mode Simple Certificate Enrollment Protocol (SCEP) indicates the manual verification of a Certificate Authority (CA) certificate has been received. Once the verification has been received, a fingerprint of the CA will display. The user should then verify the fingerprint with the CA by out of band means.

Manual process will occur under the following conditions:

  • Manual SCEP mode is selected.
  • A new CA certificate is retrieved, and there is no pre-existing certificate.

Currently, only one SCEP operation is allowed at a time. Concurrent SCEP requests are not supported, especially in manual mode SCEP operation. However, concurrent pending certificates are allowed. After one certificate is in a pending state, a request can be issued for another certificate, before the last pending certificate is retrieved.

Manual mode SCEP operation can be executed either from the WebUI or from the Command Line Interface (CLI).When manual mode SCEP is selected in the WebUI, and a new CA certificate is received, the fingerprint (hex string) will display when it becomes available. The user can select either OK or Cancel on the SCEP operation. By clicking OK, the SCEP operation will continue. Clicking Cancel will abort the SCEP operation.

To run an SCEP operation from the CLI, perform the following steps:

Open the Command Line Interface (CLI). For more information on how to open the CLI, go to Accessing the Command Line Interface Using Telnet.Set the domain name you want to use for the local certificate:

set pki x509 dn [domain name]

Generate the public and private key pair:

exec pki rsa/dsa/ new-key [number bits]

Set up the global CA URL paths:

set pki authority -1 scep [scep settings]

Each path needs to be entered separately.To copy the CA URL configuration from an existing CA, enter the following:

set pki authority [loop index of existing CA cert] scep current

Send the SCEP request (i.e., request a CA certificate first):

exec pki x509 scep -1

If manual mode is configured, once the CA certificate is retrieved, the fingerprint of the CA certificate will display. Otherwise, the SCEP operation will continue to obtain the certificate.If manual mode is configured, enter the following command to pass or fail the fingerprint:

set pki authority -1 scep authentication [pass/fail]

Should the authentication pass, the SCEP operation will continue to obtain the user certificate. Otherwise, the operation will stop.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search