show security pki local-certificate (View)
Syntax
Release Information
Command modified in Junos OS Release 9.1. Subject string output field added in Junos OS Release 12.1X44-D10.
Description
Display information about the local digital certificates, corresponding public keys, and the automatically generated self-signed certificate configured on the device.
Options
none—Display basic information about all configured local digital certificates, corresponding public keys, and the automatically generated self-signed certificate.
brief | detail—(Optional) Display the specified level of output.
certificate-id certificate-id-name —(Optional) Display information about only the specified local digital certificates and corresponding public keys.
system-generated—Display information about the automatically generated self-signed certificate.
Required Privilege Level
view
Related Documentation
List of Sample Output
show security pki local-certificate certificate-id helloshow security pki local-certificate certificate-id hello detail
show security pki local-certificate system-generated
show security pki local-certificate system-generated detail
show security pki local-certificate certificate-id mycert - (local certificate enrolled online using SCEP)
show security pki local-certificate certificate-id mycert detail - (local certificate enrolled online using SCEP)
show security pki local-certificate detail
Output Fields
Table 1 lists the output fields for the show security pki local-certificate command. Output fields are listed in the approximate order in which they appear.
Table 1: show security pki local-certificate Output Fields
Field Name | Field Description |
|---|---|
Certificate identifier | Name of the digital certificate. |
Certificate version | Revision number of the digital certificate. |
Serial number | Unique serial number of the digital certificate. Starting in Junos OS Release 20.1R1, PKI local certificate serial number is displayed with 0x as prefix to indicate that the PKI local certificate is in the hexadecimal format. |
Issued to | Device that was issued the digital certificate. |
Issued by | Authority that issued the digital certificate. |
Issuer | Authority that issued the digital certificate, including details of the authority organized using the distinguished name format. Possible subfields are:
|
LSYS | Name of the logical systems. |
Subject | Details of the digital certificate holder organized using the distinguished name format. Possible subfields are:
If the certificate contains multiple subfield entries, all entries are displayed. |
Subject string | Subject field as it appears in the certificate. |
Alternate subject | Domain name or IP address of the device related to the digital certificate. |
Validity | Time period when the digital certificate is valid. Values are:
|
Public key algorithm | Encryption algorithm used with the private key, such as rsaEncryption(1024 bits). |
Public key verification status | Public key verification status: Failed or Passed. The detail output also provides the verification hash. |
Signature algorithm | Encryption algorithm that the CA used to sign the digital certificate, such as sha1WithRSAEncryption. |
Fingerprint | Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used to identify the digital certificate. |
Distribution CRL | Distinguished name information and URL for the certificate revocation list (CRL) server. |
Use for key | Use of the public key, such as Certificate signing, CRL signing, Digital signature, or Data encipherment. |
Sample Output
show security pki local-certificate certificate-id hello
user@host> show
security pki local-certificate certificate-id hello
LSYS: root-logical-system
Certificate identifier: hello
Issued to: cn1, Issued by: DC = local, DC = demo, CN = domain-example-WIN-CA
Validity:
Not before: 08- 8-2012 17:02
Not after: 08- 8-2014 17:02
Public key algorithm: rsaEncryption(1024 bits)Sample Output
show security pki local-certificate certificate-id hello detail
user@host> show
security pki local-certificate certificate-id hello detail Certificate identifier: hello
Certificate version: 3
Serial number: 61ba9da000000000d72e
Issuer:
Common name: Example-CA,
Domain component: local, Domain component: demo
Subject:
Organization: o1, Organization: o2,
Organizational unit: ou1, Organizational unit: ou2, Country: US, State: CA,
Locality: Sunnyvale, Common name: cn1, Common name: cn2,
Domain component: dc1, Domain component: dc2
Subject string:
C=Example, DC=dc1, DC=dc2, ST=CA, L=Sunnyvale, O=o1, O=o2, OU=ou1, OU=ou2, CN=cn1, CN=cn2
Alternate subject: "user@example.net", user.example.net, 192.0.2.1
Validity:
Not before: 08- 8-2012 17:02
Not after: 08- 8-2014 17:02
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:b4:14:01:d5:4f:79:87:d5:bb:e6:5e:c1:14
97:da:b4:40:ad:1a:77:3e:ec:2e:68:8e:e4:93:a3:fe:7c:0b:58:af
e1:20:27:82:ca:8d:6f:f0:97:d1:ad:fe:df:6c:cb:3c:b0:4f:cc:dd
ac:d8:69:3f:3c:59:b5:2a:c6:83:e8:b3:94:5e:0a:2d:cd:e2:b0:15
3e:97:a7:8a:4e:fb:59:f7:20:4c:ba:a8:80:3e:ba:be:69:ef:2b:32
e4:1a:1c:24:53:1b:d5:c3:aa:d4:25:73:96:76:ea:49:d4:da:7e:3e
0c:c6:6b:22:43:cb:04:84:0d:25:33:07:6b:49:41:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///Example-CA,CN=cn-win,CN=CDP,CN=Public%20Key
%20Services,CN=Services,CN=Configuration,DC=demo,DC=local?certificateRevocationList?base?
objectClass=cRLDistributionPoint
http://example.example.net/CertEnroll/Example-CA.crl
Use for key: Key encipherment, Digital signature, 1.3.6.1.5.5.8.2.2,
1.3.6.1.5.5.8.2.2
Fingerprint:
76:a8:5f:65:b4:bf:bd:10:d8:56:82:65:ff:0d:04:3a:a5:e9:41:dd (sha1)
8f:99:a4:15:98:10:4b:b6:1a:3d:81:13:93:2a:ac:e7 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not startedSample Output
show security pki local-certificate system-generated
user@host> show
security pki local-certificate system-generated
Certificate identifier: system-generated
Issued to: JN10B9390AGB, Issued by: CN = JN10B9390AGB, CN = system generated, CN = self-signed
Validity:
Not before: 10-30-2009 23:02
Not after: 10-29-2014 23:02
Public key algorithm: rsaEncryption(1024 bits)Sample Output
show security pki local-certificate system-generated detail
user@host> show
security pki local-certificate system-generated detail Certificate identifier: system-generated
Certificate version: 3
Serial number: e90d42ebd14ef954b3e48c2eed5b30fb
Issuer:
Common name: JN10B9390AGB, Common name: system generated, Common name: self-signed
Subject:
Common name: JN10B9390AGB, Common name: system generated, Common name: self-signed
Subject string:
CN=JN10B9390AGB, CN=system generated, CN=self-signed
Validity:
Not before: 10-30-2009 23:02
Not after: 10-29-2014 23:02
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:cb:c8:3f:e6:d3:e5:ca:9d:dc:2d:e9:ca:c7
5f:b1:f5:3a:f0:1c:a7:55:43:0f:ef:fd:1c:fe:29:09:d5:37:d0:fa
d6:ee:bc:b8:3f:58:d4:31:fb:96:4f:4f:cc:a9:1a:8f:2e:1b:50:6f
2b:88:34:74:b2:6d:ad:94:b5:dd:3d:80:87:56:d0:42:50:4d:ac:d7
8c:21:06:2d:07:1e:f4:d0:c7:85:2e:25:60:ad:1b:b5:b2:d2:1d:c8
79:67:8c:56:06:04:75:6e:be:4e:99:b8:07:e6:9a:11:fe:b5:ec:c0
1e:68:da:47:99:1b:b2:c8:07:ab:cd:6e:fe:c1:fd:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
be:1f:21:13:71:cd:9d:de:7a:41:d7:4c:52:8d:3e:d6:ba:db:75:96 (sha1)
ba:fc:90:4b:5f:a8:66:a3:b9:64:89:9f:e2:45:b5:84 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not startedSample Output
show security pki local-certificate certificate-id mycert - (local certificate enrolled online using SCEP)
user@host> show security pki local-certificate
certificate-id mycertLSYS: root-logical-system
Certificate identifier: mycert
Issued to: bubba, Issued by: DC = local, DC = demo, CN = domain-example-WIN-CA
Validity:
Not before: 11-15-2012 18:58
Not after: 11-15-2014 18:58
Public key algorithm: rsaEncryption(1024 bits)Sample Output
show security pki local-certificate certificate-id mycert detail - (local certificate enrolled online using SCEP)
user@host> show security pki local-certificate
certificate-id mycert detailCertificate identifier: mycert
Certificate version: 3
Serial number: 1f00b50a000000013ad2
Issuer:
Common name: Example-CA,
Domain component: local, Domain component: demo
Subject:
Organization: example, Organizational unit: SSD, Country: US,
Common name: host1, Serial number: SRX240-11152012
Subject string:
serialNumber=SRX240-11152012, C=US, O=example, OU=SSD, CN=host1
Alternate subject: "user@example.net", user.example.net, 192.0.2.1
Validity:
Not before: 11-15-2012 18:58
Not after: 11-15-2014 18:58
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:e3:e5:ae:c0:82:af:db:94:01:2f:56:46:50
7d:3d:0b:0c:f0:1f:1d:7d:c3:aa:d4:4c:a0:cd:23:8b:3f:47:05:ee
7b:65:42:a0:dc:c4:ac:a7:b6:a6:9f:5c:ea:d8:22:b0:bf:03:75:09
be:fa:77:cb:d6:67:19:e6:80:fa:a5:7c:93:af:96:66:9f:cc:45:d5
eb:ab:c1:f0:32:a6:d9:27:1b:80:bb:57:ec:31:a2:e0:2b:e1:42:c0
92:8a:9b:ed:a6:d2:ec:7c:84:5a:8a:d9:96:a7:7e:40:c3:80:0e:f4
d6:a2:5d:78:93:3b:7d:d5:8a:f5:de:fb:bc:0d:6d:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Distribution CRL:
ldap:///Example-CA,CN=cn-win,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=demo,DC=local?certificateRevocationList?
base?objectClass=cRLDistributionPoint
http://example.example.net/CertEnroll/Example-CA.crl
Use for key: Key encipherment, Digital signature, 1.3.6.1.5.5.8.2.2,
1.3.6.1.5.5.8.2.2
Fingerprint:
1f:2f:a9:22:a8:d5:a9:36:cc:c4:bd:81:59:9d:9c:58:bb:40:15:72 (sha1)
51:27:e4:d5:29:90:f7:85:9e:67:84:a1:75:d1:5b:16 (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
Sample Output
show security pki local-certificate detail
user@host>show security pki local-certificate
detailCertificate identifier: Root-CA
Certificate version: 3
Serial number: 0x64fd90f39e513fb3435946f893f19360
Issuer:
Common name: vpnqa-msca
Subject:
Common name: vpnqa-msca
Subject string:
CN=vpnqa-msca
Validity:
Not before: 11-26-2019 02:37 UTC
Not after: 11-26-2024 02:47 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:ed:6b:34:79:99:fd:b7:a3:39:6c:37
2a:45:08:c9:5c:46:bc:a3:5d:92:db:b7:fa:1e:42:88:64:0b:57:8e
7e:4a:80:d5:49:12:0c:46:23:f3:8c:7d:b6:db:05:9a:de:fd:00:82
46:49:e6:47:f5:3e:c5:0e:72:aa:af:35:38:11:e7:bb:31:a7:36:59
7d:8a:53:c9:73:6a:4b:50:f5:05:c7:0f:60:94:07:0a:04:a9:e4:37
b6:4e:6a:b2:a7:36:bf:bf:b0:7b:8f:32:85:3d:34:b0:e0:e4:29:86
4f:6e:23:b0:eb:d3:02:93:fc:84:bb:26:41:b3:9a:71:2c:07:78:23
ab:49:ed:8d:6a:7b:8d:4b:c5:23:d8:05:b5:77:f0:27:22:34:60:b0
c1:4b:bd:b6:ef:fd:27:8c:28:31:f3:20:8b:48:5a:33:63:32:d0:04
89:56:c3:16:84:2c:06:7b:5c:64:76:b0:19:47:2f:5c:bf:e3:48:37
aa:83:1c:eb:16:27:26:76:7d:ad:2c:d7:b1:b7:c2:40:c7:ef:72:93
cd:a3:b1:d7:bd:c5:c1:d9:6e:d7:2c:22:51:55:ca:5d:f8:9e:0f:93
3d:85:4a:77:3c:a3:8e:87:40:3f:35:6b:d3:d7:bf:2c:4e:bb:b1:02
5d:ae:55:c2:bd:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Use for key: CRL signing, Certificate signing, Digital signature
Fingerprint:
73:d9:ba:b6:83:2e:99:6b:f8:a3:b6:3b:ec:84:4f:5d:9a:04:8c:9b (sha1)
6f:7d:db:5a:f1:ec:95:b8:d9:68:dd:53:17:e2:59:60 (md5)