Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Deleting Certificates (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Deleting Certificates (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Example: Configuring a Certificate Authority Profile with CRL Locations
This example shows how to configure a certificate authority profile with CRL locations.
Requirements
Before you begin:
- Generate a key pair in the device. See Example: Generating a Public-Private Key Pair.
- Create a CA profile or profiles containing information specific to a CA. See Example: Configuring a CA Profile.
- Obtain a personal certificate from the CA. See Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server.
- Load the certificate onto the device. See Example: Loading CA and Local Certificates Manually.
- Configure automatic reenrollment. See Example: Configuring SecurID User Authentication.
- If necessary, load the certificate's CRL on the device. See Example: Manually Loading a CRL onto the Device.
Overview
In Phase 1 negotiations, you check the CRL list to see if the certificate that you received during an IKE exchange is still valid. If a CRL did not accompany a CA certificate and is not loaded on the device, Junos OS tries to retrieve the CRL through the LDAP or HTTP CRL location defined within the CA certificate itself. If no URL address is defined in the CA certificate, the device uses the URL of the server that you define for that CA certificate. If you do not define a CRL URL for a particular CA certificate, the device gets the CRL from the URL in the CA profile configuration.
 | Note: The CRL distribution point extension (.cdp) in an X509 certificate can be added to either an HTTP URL or an LDAP URL. |
In this example, you direct the device to check the validity of the CA profile called my_profile and, if a CRL did not accompany a CA certificate and is not loaded on the device, to retrieve the CRL from the URL http://abc/abc-crl.crl.
Configuration
Step-by-Step Procedure
To configure certificate using CRL:
- Specify the CA profile and URL.[edit]user@host# set security pki ca-profile my_profile revocation-check crl url http://abc/abc-crl.crl
- If you are done configuring the device,
commit the configuration.[edit]user@host# commit
Verification
To verify the configuration is working properly, enter the show security pki operational mode command.
Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Deleting Certificates (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Verifying Certificate Validity
- Deleting a Loaded CRL (CLI Procedure)
- Deleting Certificates (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
