Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- LN Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
Example: Manually Loading a CRL onto the Device
This example shows how to load a CRL manually onto the device.
Requirements
Before you begin:
- Generate a public and private key pair. See Example: Generating a Public-Private Key Pair.
- Generate a certificate request. See Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server.
- Configure a certificate authority (CA) profile. See Example: Configuring a CA Profile.
- Load your certificate onto the device. See Example: Loading CA and Local Certificates Manually.
Overview
You can load a CRL manually, or you can have the device load it automatically, when you verify certificate validity. To load a CRL manually, you obtain the CRL from a CA and transfer it to the device (for example, using FTP).
In this example, you load a CRL certificate called revoke.crl from the /var/tmp directory on the device. The CA profile is called ca-profile-ipsec. (Maximum file size is 5 MB.)
 | Note: If a CRL is already loaded into the ca-profile the command clear security pki crl ca-profile ca-profile-ipsec must be run first to clear the old CRL. |
Configuration
Step-by-Step Procedure
To load a CRL certificate manually:
- Load a CRL certificate.[edit]user@host> request security pki crl load ca-profile ca-profile-ipsec filename /var/tmp/revoke.crl
Note: Junos OS supports loading of CA certificates in X509, PKCS #7, DER, or PEM formats.
Verification
To verify the configuration is working properly, enter the show security pki crl operational mode command.
Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- LN Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Digital Certificates Configuration Overview
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- Additional Information
- Public Key Infrastructure Feature Guide for Security Devices
