TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Verifying Certificate Validity

This example shows how to verify the validity of a certificate.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you verify certificates manually to find out whether a certificate has been revoked or whether the CA certificate used to create a local certificate is no longer present on the device.

When you verify certificates manually, the device uses the CA certificate (ca-cert) to verify the local certificate ( local.cert). If the local certificate is valid, and if revocation-check is enabled in the CA profile, the device verifies that the CRL is loaded and valid. If the CRL is not loaded and valid, the device downloads the new CRL.

For CA-issued certificates or CA certificates, a DNS must be configured in the device’s configuration. The DNS must be able to resolve the host in the distribution CRL and in the CA cert/revocation list url in the ca-profile configuration. Additionally, you must have network reachability to the same host in order for the checks to receive.

Configuration

Step-by-Step Procedure

To manually verify the validity of a certificate:

Verify the validity of a local certificate.
[edit]user@host> request security pki local-certificate verify certificate-id local.cert
Verify the validity of a CA certificate.
[edit]user@host> request security pki ca-certificate verify ca-profile ca-profile-ipsec
Note: The associated private key and the signature are also verified.

Verification

To verify the configuration is working properly, enter the show security pki ca-profile command.

Note: If an error is returned instead of a positive verification the failure is logged in pkid.