Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Certificate Authority Profiles

 

A certificate authority (CA) profile define every parameter associated with a specific certificate to establish secure connection between two endpoints. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access.

Understanding Certificate Authority Profiles

A certificate authority (CA) profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series device. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create a new CA profile (for example, Microsoft-2008).

Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.

Note

The PKI module supports IPv6 address format to enable the use of SRX Series devices in networks where IPv6 is the only protocol used.

A CA issues digital certificates, which helps to establish secure connection between two endpoints through certificate validation. You can group multiple CA profiles in one trusted CA group for a given topology. These certificates are used to establish a connection between two endpoints. To establish IKE or IPsec, both the endpoints must trust the same CA. If either of the endpoints are unable to validate the certificate using their respective trusted CA (ca-profile) or trusted CA group, the connection is not established. A minimum of one CA profile is mandatory to create a trusted CA group and maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular endpoint.

Starting with Junos OS Release 18.1R1, validation of a configured IKE peer can be done with a specified CA server or group of CA servers. A group of trusted CA servers can be created with the trusted-ca-group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

If proxy profile is configured in CA profile, the device connects to the proxy host instead of the CA server while certificate enrollment, verification or revocation. The proxy host communicates with the CA server with the requests from the device, and then relay the response to the device.

CA proxy profile supports SCEP, CMPv2, and OCSP protocols.

CA proxy profile is supported only on HTTP and is not supported on HTTPS protocol.

Example: Configuring a CA Profile

This example shows how to configure a CA profile.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you create a CA profile called ca-profile-ipsec with CA identity microsoft-2008. You then create proxy profile to the CA profile. The configuration specifies that the CRL be refreshed every 48 hours, and the location to retrieve the CRL is http://www.my-ca.com. Within the example, you set the enrollment retry value to 20. (The default retry value is 10.)

Automatic certificate polling is set to every 30 minutes. If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (or 15 minutes). If you do not configure retry or a retry interval, then there is no polling.

Configuration

Step-by-Step Procedure

To configure a CA profile:

  1. Create a CA profile.
  2. Optionally, configure the proxy profile to the CA profile.

    Public key infrastructure (PKI) uses proxy profile configured at the system-level. The proxy profile being used in the CA profile must be configured at the [edit services proxy] hierarchy. There can be more than one proxy profile configured under [edit services proxy] hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure host and port of the proxy profile at the [edit system services proxy] hierarchy.

  3. Create a revocation check to specify a method for checking certificate revocation.
  4. Set the refresh interval, in hours, to specify the frequency in which to update the CRL. The default values are next-update time in CRL, or 1 week, if no next-update time is specified.
  5. Specify the enrollment retry value.
  6. Specify the time interval in seconds between attempts to automatically enroll the CA certificate online.
  7. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security pki command.

Example: Configuring an IPv6 address as the Source Address for a CA Profile

This example shows how to configure an IPv6 address as the source address for a CA profile.

No special configuration beyond device initialization is required before configuring this feature.

In this example, create a CA profile called orgA-ca-profile with CA identity v6-ca and set the source address of the CA profile to be an IPv6 address, such as 2001:db8:0:f101::1. You can configure the enrollment URL to accept an IPv6 address http://[2002:db8:0:f101::1]:/.../.

  1. Create a CA profile.
  2. Configure the source address of the CA profile to be an IPv6 address.
  3. Specify the enrollment parameters for the CA.
  4. If you are done configuring the device, commit the configuration.
Release History Table
Release
Description
Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.
Starting with Junos OS Release 18.1R1, validation of a configured IKE peer can be done with a specified CA server or group of CA servers.