Introduction to PKI in Junos OS
PKI Applications Overview
The Junos OS uses public/private keys in the following areas:
SSH/SCP (for secure command-line interface [CLI]-based administration)
Secure Sockets Layer (SSL) (for secure Web-based administration and for https-based webauth for user authentication)
Internet Key Exchange (IKE) (for IPsec VPN tunnels)
Note the following points:
Currently Junos OS supports only IKE (using public key infrastructure (PKI) certificates for public key validation).
The SSH and SCP are used exclusively for system administration and depends on the use of out-of-band fingerprints for public key identity binding and validation. Details on SSH are not covered in this topic.
Components for Administering PKI in Junos OS
The following components are required for administrating PKI in Junos OS:
CA certificates and authority configuration
Local certificates including the devices identity (example: IKE ID type and value) and private and public keys
Certificate validation through a certificate revocation list (CRL)
Basic Elements of PKI in Junos OS
Junos OS supports three specific types of PKI objects:
Private/public key pair
Local certificate—The local certificate contains the public key and identity information for the Juniper Networks device. The Juniper Networks device owns the associated private key. This certificate is generated based on a certificate request from the Juniper Networks device.
Pending certificate — A pending certificate contains a key pair and identity information that is generated into a PKCS10 certificate request and manually sent to a certificate authority (CA). While the Juniper Networks device waits for the certificate from the CA, the existing object (key pair and the certificate request) is tagged as a certificate request or pending certificate.
Junos OS Release 9.0 and later supports automatic sending of certificate requests through SCEP.
CA certificate — When the certificate is issued by the CA and loaded into the Junos OS device, the pending certificate is replaced by the newly generated local certificate. All other certificates loaded into the device are considered CA certificates.
Certificate revocation lists (CRLs)
Note the following points about certificates:
Local certificates are generally used when a Junos OS device has VPNs in more than one administrative domain.
All PKI objects are stored in a separate partition of persistent memory, apart from the Junos OS image and the system’s general configuration.
Each PKI object has a unique name or certificate-ID given to it when it is created and maintains that ID until its deletion. You can view the certificate-ID by using the show security pki local-certificate command.
A certificate cannot be copied from a device under most circumstances. The private key on a device must be generated on that device only, and it should never be viewed or saved from that device. So PKCS12 files (which contain a certificate with the public key and the associated private key) are not supported on Junos OS devices.
CA certificates validate the certificates received by the IKE peer. If the certificate is valid, then it is verified in the CRL to see whether the certificate has been revoked.
Each CA certificate includes a CA profile configuration that stores the following information:
CA identity, which is typically the domain name of the CA
E-mail address for sending the certificate requests directly to the CA
Revocation check enable/disable option
Disabling of revocation check in case of CRL download failure.
Location of CRL Distribution Point (CDP) (for manual URL setting)
CRL refresh interval