You are here: Administration > Certificate Management > Trusted Certificate Authority.
SSL forward proxy ensures secure transmission of data between a client and a server. Before establishing a secure connection, SSL forward proxy checks certificate authority (CA) certificates to verify signatures on server certificates. For this reason, a reasonable list of trusted CA certificates is required to effectively authenticate servers.
Table 320 provides the details of the fields of the Trusted Certificate Authority Page.
Table 320: Fields on Trusted Certificate Authority Page
Field | Description |
|---|---|
CA Profile | Displays the name of the CA profile. |
Certificate ID | Displays the CA certificate ID. |
Issuer Org | Displays the issuer organizational name. |
Status | Displays the status of the CA certificate. For example:
|
Expiration Date | Displays CA certificate expiration date. |
Encryption Type | Displays whether the algorithm of the certificate is RSA, DSA, or ECDSA encryption. |
You can perform the following tasks:
Generate a default trusted CAs. See Generate Default Trusted CAs.
Enroll a CA certificate using the Simple Certificate Enrollment Process (SCEP) or Certificate Management Protoco (CMPv2). With SCEP or CMPv2, you can configure Juniper Network device to obtain a local certificate online and start the online enrollment for the specified certificate ID. See Enroll CA Certificate.
Import a CA certificate to manually load CA certificates and CRL. See Import CA Certificate.
Add a CA profile. See Add a CA Profile.
Edit a CA profile. See Edit a CA Profile.
Delete a CA profile. See Delete CA Profile.
Search for text in a Trusted Certificate Authority table. See Search Text in Trusted Certificate Authority Table.
Filter the trusted CA information based on select criteria. To do this, select the filter icon at the top right-hand corner of the table. The columns in the grid change to accept filter options. Type the filter options; the table displays only the data that fits the filtering criteria.
Show or hide columns in the trusted CA table. To do this, use the Show Hide Columns icon in the top right corner of the page and select the options you want to show or deselect to hide options on the page.
For SSL forward proxy, you need to load trusted CA certificates on your system. By default, Junos OS provides a list of trusted CA certificates that include default certificates used by common browsers. To generate default Trusted CA profiles with default name as Local, click Generate Default Trusted CAs and then click Continue. This process may take several minutes.
To enroll a trusted CA group:
The Enroll CA Certificate page appears.
Table 321: Fields on the Enroll CA Certificate Page
Field | Action |
|---|---|
CA Profile Name | Select a CA profile name from the list that you want to enroll. |
Protocol | Select a protocol from the list for the CA certificate that you want to enroll.
|
Note: The following fields are available only if you select CMPv2 protocol. All the fields are mandatory. | |
CA Secret | Enter the out-of-band secret value received from the CA server. |
CA Reference | Enter the out-of-band reference value received from the CA server. |
CA Dn | Enter the distinguished name (DN) of the CA enrolling the EE certificate. Note: This optional parameter is mandatory if the CA certificate is not already enrolled. If the CA certificate is already enrolled, the subject DN is extracted from the CA certificate. |
Certificate Details | Click Add to generate a new certificate inline. |
To import a CA certificate:
The Import CA Certificate page appears.
You are taken to the Trusted Certificate Authority page. If the CA certificate content that you imported is validated successfully, a confirmation message is displayed; if not, an error message is displayed.
Table 322: Fields on the Import CA Certificate Page
Field | Action |
|---|---|
CA Profile Name | Select a CA profile name from the list that you want to import. |
File path for CA Certificate | Click Browse to navigate to the path from where you want to import the CA certificate. |
File path for CRL | Click Browse to navigate to the path from where you want to import the Certificate Revocation List (CRL). |
To add a CA group:
The Add CA Profile page appears.
If you click OK, a new CA profile with the provided configuration is created.
Table 323: Fields on the Add CA Profile Page
Field | Action |
|---|---|
| Profile Details | |
CA Profile Name | Enter a unique CA profile name. |
CA Identity | Enter a CA identity name. |
Revocation Check | Select an option from the list:
|
URL | For OCSP, enter HTTP addresses for OCSP responders. For CRL, enter the name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LDAP). |
On Connection Failure | Enable this option to skip the revocation check if the OCSP responder is not reachable. Note: This option is applicable only for OCSP. |
Disable Responder Revocation Check | Enable this option to disable revocation check for the CA certificate received in an OCSP response. Note: This option is applicable only for OCSP. |
Accept Unknown Status | When set to enable, accepts the certificate with unknown status. Note: This option is applicable only for OCSP. |
Nonce Payload | Disable the option—Explicitly disable the sending of a nonce payload. Enable the option—Enable the sending of a nonce payload. This is the default. Note: This option is applicable only for OCSP. |
CRL Refresh Interval | Enter the time interval (in hours) between CRL updates. Range: 0 through 8784 hours. Note: This option is applicable only for CRL. |
Password | Enter the password for authentication with the server. |
Disable on Download Failure | Enable this option to override the default behavior and permit certificate verification even if the CRL fails to download. Note: This option is applicable only for CRL. |
| Enrollment | |
CA Certificate | Select an option whether you want to enroll the CA certificate manually or automatically. |
File path for Certificate | Click Browse to navigate to the path from where you want to enroll the CA certificate. |
URL | Enter the URL from where you want to enroll the CA certificate automatically. |
Retry | Number of enrollment retry attempts before aborting. Range: 0 - 1080. |
Retry-interval | Interval in seconds between the enrollment retries. Range: 0 - 3600. |
| Advanced | |
Administrator | Enter an administrator e-mail address to which the certificate request is sent. |
Source Address | Enter a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers. |
Auto Re Enrollment | Enable this option to request that the issuing CA replace a certificate before its specified expiration date. |
Re Generate Key Pair | Enable this option to automatically generate a new key pair when auto-reenrolling a device certificate. |
Protocol | Select an option from the list: Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol version 2 (CMPv2). |
Challenge Password | Enter the challenge password used by the certificate authority (CA) for certificate enrollment and revocation. This challenge password must be the same used when the certificate was originally configured. |
Trigger Time | Enter the percentage for the reenroll trigger time before expiration. Range: 1 through 99 percent |
Digest | Select an option from the list: None, SHA-1 digest (default), or MD5-digest. Note: This option is applicable only when you select SCEP protocol. |
Encryption | Select an option from the list: None, DES, DES 3. Note: This option is applicable only when you select SCEP protocol. |
Routing Instance | Select an option from the list of configured routing instances. |
Proxy Profile | Select an option from the list. Or ProcedureTo create a new proxy profile inline:
|
To edit a CA profile:
See Table 323 for the options available for editing on the Edit CA Profile page.
Note When you select a CA profile to edit, you cannot edit the following fields:
CA Profile Name
Revocation Check
Enrollment > CA Certificate
Advanced > Auto Re Enrollment
Advanced > Protocol
To delete a CA profile:
A confirmation window appears.
You can use the search icon in the top right corner of a page to search for text containing letters and special characters on that page.
To search for text:
The search results are displayed.