Help Center User GuideGetting Started
 
X
User Guide
Getting Started
Contents  

Manage Trusted Certificate Authority

About Trusted Certificate Authority Page

You are here: Administration > Certificate Management > Trusted Certificate Authority.

SSL forward proxy ensures secure transmission of data between a client and a server. Before establishing a secure connection, SSL forward proxy checks certificate authority (CA) certificates to verify signatures on server certificates. For this reason, a reasonable list of trusted CA certificates is required to effectively authenticate servers.

Table 320 provides the details of the fields of the Trusted Certificate Authority Page.

Table 320: Fields on Trusted Certificate Authority Page

Field

Description

CA Profile

Displays the name of the CA profile.

Certificate ID

Displays the CA certificate ID.

Issuer Org

Displays the issuer organizational name.

Status

Displays the status of the CA certificate.

For example:

  • Valid.

  • Expires in number of day(s).

  • Expired.

  • Download Required. This status is for a CA profile with manual enrollment.

  • Enrollment Required. This status is for a CA profile with automatic enrollment.

Expiration Date

Displays CA certificate expiration date.

Encryption Type

Displays whether the algorithm of the certificate is RSA, DSA, or ECDSA encryption.

You can perform the following tasks:

Generate Default Trusted CAs

For SSL forward proxy, you need to load trusted CA certificates on your system. By default, Junos OS provides a list of trusted CA certificates that include default certificates used by common browsers. To generate default Trusted CA profiles with default name as Local, click Generate Default Trusted CAs and then click Continue. This process may take several minutes.

Enroll CA Certificate

Procedure

To enroll a trusted CA group:

  1. Select Administration > Certificate Management > Trusted Certificate Authority.
  2. Click Enroll.

    The Enroll CA Certificate page appears.

  3. Complete the configuration according to the guidelines provided in Table 321.
  4. Click OK to enroll the CA certificate.

Table 321: Fields on the Enroll CA Certificate Page

Field

Action

CA Profile Name

Select a CA profile name from the list that you want to enroll.

Protocol

Select a protocol from the list for the CA certificate that you want to enroll.

  • SCEP—Simple Certificate Enrollment Protocol (SCEP)

  • CMPV2—Certificate Management Protocol version 2 (CMPv2)

Note: The following fields are available only if you select CMPv2 protocol. All the fields are mandatory.

CA Secret

Enter the out-of-band secret value received from the CA server.

CA Reference

Enter the out-of-band reference value received from the CA server.

CA Dn

Enter the distinguished name (DN) of the CA enrolling the EE certificate.

Note: This optional parameter is mandatory if the CA certificate is not already enrolled. If the CA certificate is already enrolled, the subject DN is extracted from the CA certificate.

Certificate Details

Click Add to generate a new certificate inline.

Import CA Certificate

Procedure

To import a CA certificate:

  1. Select Administration > Certificate Management > Trusted Certificate Authority.
  2. Click Import.

    The Import CA Certificate page appears.

  3. Complete the configuration according to the guidelines provided in Table 322.
  4. Click OK to import the CA certificate.

    You are taken to the Trusted Certificate Authority page. If the CA certificate content that you imported is validated successfully, a confirmation message is displayed; if not, an error message is displayed.

Table 322: Fields on the Import CA Certificate Page

Field

Action

CA Profile Name

Select a CA profile name from the list that you want to import.

File path for CA Certificate

Click Browse to navigate to the path from where you want to import the CA certificate.

File path for CRL

Click Browse to navigate to the path from where you want to import the Certificate Revocation List (CRL).

Add a CA Profile

Procedure

To add a CA group:

  1. Select Administration > Certificate Management > Trusted Certificate Authority.
  2. Click the add icon (+).

    The Add CA Profile page appears.

  3. Complete the configuration according to the guidelines provided in Table 323.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.

    If you click OK, a new CA profile with the provided configuration is created.

Table 323: Fields on the Add CA Profile Page

Field

Action

Profile Details

CA Profile Name

Enter a unique CA profile name.

CA Identity

Enter a CA identity name.

Revocation Check

Select an option from the list:

  • Disable—Disables verification of status of digital certificates.

  • OCSP—Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate.

  • CRL—A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.

URL

For OCSP, enter HTTP addresses for OCSP responders.

For CRL, enter the name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LDAP).

On Connection Failure

Enable this option to skip the revocation check if the OCSP responder is not reachable.

Note: This option is applicable only for OCSP.

Disable Responder Revocation Check

Enable this option to disable revocation check for the CA certificate received in an OCSP response.

Note: This option is applicable only for OCSP.

Accept Unknown Status

When set to enable, accepts the certificate with unknown status.

Note: This option is applicable only for OCSP.

Nonce Payload

Disable the option—Explicitly disable the sending of a nonce payload.

Enable the option—Enable the sending of a nonce payload. This is the default.

Note: This option is applicable only for OCSP.

CRL Refresh Interval

Enter the time interval (in hours) between CRL updates.

Range: 0 through 8784 hours.

Note: This option is applicable only for CRL.

Password

Enter the password for authentication with the server.

Disable on Download Failure

Enable this option to override the default behavior and permit certificate verification even if the CRL fails to download.

Note: This option is applicable only for CRL.

Enrollment

CA Certificate

Select an option whether you want to enroll the CA certificate manually or automatically.

File path for Certificate

Click Browse to navigate to the path from where you want to enroll the CA certificate.

URL

Enter the URL from where you want to enroll the CA certificate automatically.

Retry

Number of enrollment retry attempts before aborting. Range: 0 - 1080.

Retry-interval

Interval in seconds between the enrollment retries. Range: 0 - 3600.

Advanced

Administrator

Enter an administrator e-mail address to which the certificate request is sent.

Source Address

Enter a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers.

Auto Re Enrollment

Enable this option to request that the issuing CA replace a certificate before its specified expiration date.

Re Generate Key Pair

Enable this option to automatically generate a new key pair when auto-reenrolling a device certificate.

Protocol

Select an option from the list: Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol version 2 (CMPv2).

Challenge Password

Enter the challenge password used by the certificate authority (CA) for certificate enrollment and revocation. This challenge password must be the same used when the certificate was originally configured.

Trigger Time

Enter the percentage for the reenroll trigger time before expiration.

Range: 1 through 99 percent

Digest

Select an option from the list: None, SHA-1 digest (default), or MD5-digest.

Note: This option is applicable only when you select SCEP protocol.

Encryption

Select an option from the list: None, DES, DES 3.

Note: This option is applicable only when you select SCEP protocol.

Routing Instance

Select an option from the list of configured routing instances.

Proxy Profile

Select an option from the list. Or

Procedure

To create a new proxy profile inline:

  1. Click Create.

    Create Proxy Profile page appears.

  2. Enter the following details:
    • Profile Name—Enter a unique proxy profile name.

    • Connection Type:

      • Server IP—Enter the IP address of the server.

      • Host Name—Enetr the host name.

    • Port Number—Select the port number by using top/down arrows.

      Range: 0 through 65535

  3. Click OK.

Edit a CA Profile

Procedure

To edit a CA profile:

  1. Select Administration > Certificate Management > Trusted Certificate Authority.
  2. Select a CA profile.
  3. On the upper right side of the Trusted Certificate Authority page, click the pencil icon.

    See Table 323 for the options available for editing on the Edit CA Profile page.

    Note When you select a CA profile to edit, you cannot edit the following fields:

    • CA Profile Name

    • Revocation Check

    • Enrollment > CA Certificate

    • Advanced > Auto Re Enrollment

    • Advanced > Protocol

  4. Click OK

Delete CA Profile

Procedure

To delete a CA profile:

  1. Select Administration > Certificate Management > Trusted Certificate Authority.
  2. Select a CA profile.
  3. On the upper right side of the Trusted Certificate Authority page, click the delete icon to delete.

    A confirmation window appears.

  4. Click Yes to delete.

Search Text in Trusted Certificate Authority Table

You can use the search icon in the top right corner of a page to search for text containing letters and special characters on that page.

Procedure

To search for text:

  1. Enter partial text or full text of the keyword in the search bar and click the search icon.

    The search results are displayed.

  2. Click X next to a search keyword or click Clear All to clear the search results.
Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit