Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices

Example: Verifying Certificate Validity
This example shows how to verify the validity of a certificate.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you verify certificates manually to find out whether a certificate has been revoked or whether the CA certificate used to create a local certificate is no longer present on the device.
When you verify certificates manually, the device uses the CA certificate (ca-cert) to verify the local certificate ( local.cert). If the local certificate is valid, and if revocation-check is enabled in the CA profile, the device verifies that the CRL is loaded and valid. If the CRL is not loaded and valid, the device downloads the new CRL.
For CA-issued certificates or CA certificates, a DNS must be configured in the device’s configuration. The DNS must be able to resolve the host in the distribution CRL and in the CA cert/revocation list url in the ca-profile configuration. Additionally, you must have network reachability to the same host in order for the checks to receive.
Configuration
Step-by-Step Procedure
To manually verify the validity of a certificate:
- Verify the validity of a local certificate.[edit]user@host> request security pki local-certificate verify certificate-id local.cert
- Verify the validity of a CA certificate.[edit]user@host> request security pki ca-certificate verify ca-profile ca-profile-ipsec

Note: The associated private key and the signature are also verified.
Verification
To verify the configuration is working properly, enter the show security pki ca-profile command.
![]() | Note: If an error is returned instead of a positive verification the failure is logged in pkid. |
Related Documentation
- J Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- SRX Series
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting a Loaded CRL (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices


