Example: Using SCEP to Automatically Renew a Local Certificate

Requirements

Before you begin:

• Obtain a certificate either on line or manually. See Enabling Digital Certificates Online: Configuration Overview.
• Obtain a local certificate. See Example: Enrolling a Local Certificate Online Using SCEP.

Overview

You can enable the device to automatically renew certificates that were acquired by online enrollment or loaded manually. Automatic certificate renewal saves you from having to remember to renew certificates on the device before they expire, and helps to maintain valid certificates at all times.

Automatic certificate renewal is disabled by default. You can enable automatic certificate renewal and configure the device to automatically send out a request to reenroll a certificate before it expires. You can specify when the certificate reenrollment request is to be sent; the trigger for reenrollment is the percentage of the certificate’s lifetime that remains before expiration. For example, if the renewal request is to be sent when the certificate's remaining lifetime is 10%, then configure 10 for the reenrollment trigger.

For this feature to work, the device must be able to reach the SCEP server, and the certificate must be present on the device during the renewal process. Furthermore, you must also ensure that the CA issuing the certificate can return the same DN. The CA must not modify the subject name or alternate subject name extension in the new certificate.

In this example, you can enable and disable automatic SCEP certificate renewal either for all SCEP certificates or on a per-certificate basis. You set the security pki auto-re-enrollment command to enable and configure certificate reenrollment. You specify the certificate ID of the CA certificate as sm1 and set the CA profile name associated with the certificate to aaa. You set the challenge password for CA certificate to abc. This password must be the same one configured previously for the CA. You also set the percentage for the reenrollment trigger to 10. During automatic reenrollment, by default, the Juniper Networks device uses the existing key pair. To generate a new key pair, use the re-generate-keypair command.

Configuration

Step-by-Step Procedure

1. To enable and configure certificate reenrollment.
   [edit]user@host# set security pki auto-re-enrollment certificate-id ca-ipsec ca-profile-name ca-profile-ipsec challenge-password abc re-enroll-trigger-time-percentage 10 re-generate-keypair
2. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit

Verification

To verify the configuration is working properly, enter the show security pki local-certificate detail operational mode command.