Monitoring Digital Certificates and Public Keys

Use the following show commands to display information about IKE certificates, IKE configurations, CRLs, public keys, and peer public keys.

show ipsec ca identity

• Use to display information about IKE CA identities used by the router for online digital certificate configuration. You can display information for a specific CA or for all CAs configured on the router.
• Field descriptions
  • CA—Certificate authority that the router uses to generate certificate requests
  • enrollment url—URL of the SCEP server where the router sends certificate requests
  • issuer id—Name of the CA issuer providing the digital certificates
  • retry period—Number of minutes that the router waits after receiving no response from the CA before resending a certificate request
  • retry limit—Number of minutes during which the router continues to send a certificate request to the CA
  • crl setting—Setting that controls how the router checks the certificate revocation lists
  • proxy url—HTTP proxy server used to retrieve the root CA certificate, if any
• Example

  host1#show ipsec ca identity mysecureca1
  
  

  CA: mysecureca1 parameters:
  enrollment url:http://192.168.10.124/scepurl
  issuer id     :BetaSecurityCorp
  retry period  :1
  retry limit   :60
  crl setting   :optional
  proxy url     :

• See show ipsec ca identity.

show ipsec certificates

show ike certificates

Note: The show ike certificates command has been replaced by the show ipsec certificates command and may be removed completely in a future release.

• Use to display the IKE certificates and CRLs on the router. Specify the type of certificate you want to display:
  • all—All certificates configured on the router
  • crl—Certificate revocation lists
  • peer—Peer certificates
  • public-certs—Public certificates
  • root-cas—Root CA certificates
• Use the hex-format keyword to display certificate data, such as serial numbers, in hexadecimal format. Doing so allows easier comparison with CAs, such as Microsoft, that display certificates in hexadecimal format.
• Field descriptions
  • Ca identity—Certificate authority that the router uses to generate certificate requests
  • SubjectName—Distinguished name for the certificate
  • IssuerName—Organization that signed and issued the certificate
  • SerialNumber—Unique serial number assigned to the certificate by the CA
  • SignatureAlgorithm—Algorithm used for the digital signature
  • Validity—Beginning and ending period during which the certificate is valid
  • PublicKeyInfo—Information about the public key
  • Extensions—Fields that provide additional information for the certificate
  • Fingerprints—Unique hash of the certificate, which can be used to verify that the certificate is valid
• Example 1

  host1#show ipsec certificates public-certs
  
  

  ---------- Public Certificates: ----------

  Ca Identity:[trustedca1]Certificate =
    SubjectName = <C=us, O=junipernetworks, CN=jim>
    IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA>
    SerialNumber= 84483276204047383658902
    SignatureAlgorithm = rsa-pkcs1-sha1
    Validity =
      NotBefore = 2003 Oct 21st, 16:14:42 GMT
      NotAfter  = 2004 Oct 21st, 16:24:42 GMT
    PublicKeyInfo =
      PublicKey =
        Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
        Modulus n  (1024 bits) :
          13409127965307061503054050053800642488356537668078160605242622661311625
          19876607806686846822070359658649546374128540876213416858514288030584124
          05896520823533525098960335493944208019747261524241389345208872551265097
          58542773588125824612424422877870700028956172284401073039192457619002485
          5366053321117704284702619
        Exponent e (  17 bits) :
          65537
    Extensions =
      Available = authority key identifier, subject key identifier, key usage,
        subject alternative name, authority information access, CRL distribution
        points
      SubjectAlternativeNames =
        Following names detected =
          DNS (domain name server name)
        Viewing specific name types =
          DNS = host1.kanata.junipernetworks.com
      KeyUsage = DigitalSignature
      CRLDistributionPoints =
        % Entry 1
        FullName =
          Following names detected =
            URI (uniform resource indicator)
          Viewing specific name types =
            URI = http://vtsca1/CertEnroll/VTS%20Root%20CA.crl
        % Entry 2
        FullName =
          Following names detected =
            URI (uniform resource indicator)
          Viewing specific name types =
          No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
      AuthorityKeyID =
        KeyID =
          15:0a:17:4d:36:b6:49:96:fa:d5:be:df:51:3e:e4:90:51:a2:c0:95
        AuthorityCertificateIssuer =
          Following names detected =
            DN (directory name)
          Viewing specific name types =
          No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
        AuthorityCertificateSerialNumber = 79592882508437425959858112994892506178
      SubjectKeyID =
        KeyId =
          78:e0:3e:f7:24:65:2d:4b:01:d4:91:f9:66:c7:67:26:06:74:6c:5c
      AuthorityInfoAccess =
        AccessMethod = 1.3.6.1.5.5.7.48.2
        AccessLocation =
          Following names detected =
            URI (uniform resource indicator)
          Viewing specific name types =
          No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
        AccessMethod = 1.3.6.1.5.5.7.48.2
        AccessLocation =
          Following names detected =
            URI (uniform resource indicator)
          Viewing specific name types =
          No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
    Fingerprints =
      MD5 = c4:c9:22:b6:19:07:4e:4f:ee:81:7a:9f:cb:f9:1f:7e
      SHA-1 = 58:ba:fb:0d:68:61:42:2a:52:7e:19:82:77:a4:55:4c:25:8c:c5:60

• Example 2

  host1# show ipsec certificates root-cas
  show ipsec certificates root-cas---------- Root CAs: ----------
  Ca Identity:[trustedca1]Certificate =
    SubjectName = <C=CA, ST=ON, L=Kanata, O=Juniper Networks, OU=VTS Group, CN=VTS Root CA>
    IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA>
    SerialNumber= 79592882508437425959858112994892506178
    SignatureAlgorithm = rsa-pkcs1-sha1
    Certificate seems to be self-signed.
        * Signature verification success.
    Validity =
      NotBefore = 2003 Mar 26th, 15:50:53 GMT
      NotAfter  = 2006 Mar 26th, 15:59:59 GMT
    PublicKeyInfo =
      PublicKey =
        Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
        Modulus n  (1024 bits) :
          14424807498766001201060433525671934401816213246866823722650117007030500
          12414152472800629737773845549310833804653975288246486381759003010224672
          53370575541853958272072875412915858260834056069053966369912244336288229
          09443381900005615652631560044304863856421739848326865877661787314144447
          8276502323232108941157077
        Exponent e (  17 bits) :
          65537
    Extensions =
      Available = subject key identifier, key usage, basic constraints(critical),
  CRL distribution points, unknown
  KeyUsage = DigitalSignature NonRepudiation KeyCertSign CRLSign
  BasicConstraints =
  cA         = TRUE
  [critical]
  CRLDistributionPoints =
  % Entry 1
  FullName =
  Following names detected =
  URI (uniform resource indicator)
  Viewing specific name types =
  URI = http://vtsca1/CertEnroll/VTS%20Root%20CA.crl
  % Entry 2
  FullName =
  Following names detected =
  URI (uniform resource indicator)
  Viewing specific name types =
  No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
  SubjectKeyID =
  KeyId =
  15:0a:17:4d:36:b6:49:96:fa:d5:be:df:51:3e:e4:90:51:a2:c0:95
  Unknown 1.3.6.1.4.1.311.21.1 =
  02:01:00                                           ...
  Fingerprints =
  MD5 = 8c:56:fb:a6:bd:ab:13:67:e6:13:09:c1:d0:de:1f:24
  SHA-1 = 22:3d:84:6d:d4:5f:18:87:ae:2c:15:7d:2a:94:20:ff:c6:12:fb:6f
  

• See show ike certificates.
• See show ipsec certificates.

show ipsec identity

show ike identity

Note: The show ike identity command has been replaced by the show ipsec identity command and may be removed completely in a future release.

• Use to display the IKE identity configuration.
• Field descriptions
  • Domain Name—Domain name the router uses in IKE authentication messages and to generate certificate requests
  • Common Name—Common name used to generate certificates
  • Organization—Name of the organization used in the Subject Name field of certificates
  • Country—Country used to generate certificates
• Example

  host1#show ipsec identity
  
  

  Ike identity:
          Domain Name :myerx.kanata.junipernetworks.com
          Common Name :jim
          Organization:junipernetworks
          Country     :ca

• See show ipsec identity.
• See show ike identity.

show ipsec ike-configuration

show ike configuration

Note: The show ike configuration command has been replaced by the show ipsec ike-configuration command and may be removed completely in a future release.

• Use to display a summary of the IKE configuration.
• Field descriptions
  • Ike identity—Information from your IKE identify configuration that the router uses to generate certificate requests
  • CRL Check—Setting of the CRL check: optional, required, ignored
• Example

  host1#show ipsec ike-configuration
  
  

  Ike configuration:
  Ike identity:
          Domain Name :treverxsys2.juniper.net
          Common Name :Sys2 ERX
          Organization:Juniper Networks
          Country     :CA
  CRL Check:optional

• See show ipsec ike-configuration.
• See show ike configuration.

show ipsec key mypubkey rsa

• Use to display the 1024-bit or 2048-bit RSA public key configured on the router.
• The public key is generated as part of a public/private key pair used to perform RSA authentication during ISAKMP/IKE SA negotiations.
• For information about the format of an RSA public key, see Public Key Format .
• Example

  host1#show ipsec key mypubkey rsa
   30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 009cfbde
   a16cf72c 49fbd3c1 10d5d9d4 8ba15ec0 9adcb19e 18d488f8 e0370c51 2d10e751
   ddd81be4 dfc78aad 9deb797f b2c51172 18967cfb e18f6efa 69285fef 10337527
   78ca6bbc 907abb9e 44b12713 ab70cb0e a86d9c6c 80c99bd1 e2bf6b70 91222295
   616a88bb cc479e15 be04f3a5 a6160645 844598c3 314b66af 3a8b7602 ed020301
   0001

• See show ipsec key mypubkey rsa.

show ipsec key pubkey-chain rsa

• Use to display a 1024-bit or 2048-bit ISAKMP/IKE public key that a remote peer uses for RSA authentication.
• To display a brief summary of the remote peers for which public keys are configured on the router, use the summary keyword.
• To display the public key for a remote peer with a specific IP address, use the address keyword followed by the IP address, in 32-bit dotted decimal format.
• To display the public key for a remote peer with a specific identity, use the name keyword followed by either:
  • The fully qualified domain name (FQDN)
  • The FQDN preceded by an optional user@ specification; this is also referred to as user FQDN format
• The FQDN and user FQDN identifiers are case-sensitive and must exactly match the identifier specified in the ipsec key pubkey-chain rsa command. For example, a public key for user FQDN mjones@sales.company_abc.com does not match a public key for FQDN sales.company_abc.com.
• For information about the format of an RSA public key, see Public Key Format .
• Field descriptions
  • Remote Peer—IP address, FQDN, or user FQDN identifier of the remote peer for which the peer public key can be used
  • Key Type—Type of remote peer identifier: ip address (if IP address is specified) or identity (if FQDN or user FQDN is specified)
• Example 1—Displays a summary of the remote peers for which peer public keys are configured

  host1#show ipsec key pubkey-chain rsa summary
           Remote Peer               Key Type
  -----------------------------     ----------
  192.168.32.3                      ip address
  grp003.cust535.isp.net            identity
  tsmith@grp003.cust535.isp.net     identity 

• Example 2—Displays the peer public key for a remote peer with the specified IP address

  host1#show ipsec key pubkey-chain rsa address 192.168.32.3
  
  

   30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 0082065f
   841aa03a fadfda9f bf8be05c d2fe3596 abc3e265 0b86b99a df9b4907 29c7a737
   8bf08491 5c96e72d 28471a12 f0735ff4 04d76ad1 3a80f10c 23dcadda b68ce8ec
   5fdfbe58 a52008db 9a11f867 d38d0483 e4abd53c 89a4dc3c 985ea450 f17748c4
   3f04def0 a3cf5d89 b62dfeae 5990641b 370bb113 73105ba7 585a41fc 3b020301
   0001

• Example 3—Displays the peer public key for a remote peer with the specified FQDN identifier

  host1#show ipsec key pubkey-chain rsa name grp003.cust535.isp.net
  
  

  30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
   00c03cc6 0bad55ea b4f8a01f 5cf69de5 f03185e2 1338b5cb fa8418c3 6cbe1a77
   bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf
   d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a
   5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff
   2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a2531
   9787ce37 2601bdf9 1434b174 4fd21cf2 48e10f58 9ac89df1 56e360b1 66fb0b3f
   27ad6396 7a491d74 3b8379ea be502979 8f0270b2 6063a474 fadc5f18 f0ca6f7a
   ddea66c7 cf637598 9cdb5087 0480af29 b9c174ab 1b1d033f 67641a8c 5918ddce
   1f020301 0001 

• Example 4—Displays the peer public key for a remote peer with the specified user FQDN identifier

  host1#show ipsec key pubkey-chain rsa name tsmith@grp003.cust535.isp.net
  
  

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bcc106
   8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51
   f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74
   cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b
   29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301
   0001

• See show ipsec key pubkey-chain rsa.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.