Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Manually Loading a CRL onto the Device

    This example shows how to load a CRL manually onto the device.

    Requirements

    Before you begin:

    1. Generate a public and private key pair. See Example: Generating a Public-Private Key Pair.
    2. Generate a certificate request. See Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server.
    3. Configure a certificate authority (CA) profile. See Example: Configuring a CA Profile.
    4. Load your certificate onto the device. See Example: Loading CA and Local Certificates Manually.

    Overview

    You can load a CRL manually, or you can have the device load it automatically, when you verify certificate validity. To load a CRL manually, you obtain the CRL from a CA and transfer it to the device (for example, using FTP).

    In this example, you load a CRL certificate called revoke.crl from the /var/tmp directory on the device. The CA profile is called ca-profile-ipsec. (Maximum file size is 5 MB.)

    Note: If a CRL is already loaded into the ca-profile the command clear security pki crl ca-profile ca-profile-ipsec must be run first to clear the old CRL.

    Configuration

    Step-by-Step Procedure

    To load a CRL certificate manually:

    1. Load a CRL certificate.
      [edit]user@host> request security pki crl load ca-profile ca-profile-ipsec filename /var/tmp/revoke.crl

      Note: Junos OS supports loading of CA certificates in X509, PKCS #7, DER, or PEM formats.

    Verification

    To verify the configuration is working properly, enter the show security pki crl operational mode command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page