Monitoring Digital Certificates and Public Keys
Use the following show commands to display information about IKE certificates, IKE configurations, CRLs, public keys, and peer public keys.
show ipsec ca identity
- Use to display information about IKE CA identities used by the router for online digital certificate configuration. You can display information for a specific CA or for all CAs configured on the router.
- Field descriptions
- CA—Certificate authority that the router uses to generate certificate requests
- enrollment url—URL of the SCEP server where the router sends certificate requests
- issuer id—Name of the CA issuer providing the digital certificates
- retry period—Number of minutes that the router waits after receiving no response from the CA before resending a certificate request
- retry limit—Number of minutes during which the router continues to send a certificate request to the CA
- crl setting—Setting that controls how the router checks the certificate revocation lists
- proxy url—HTTP proxy server used to retrieve the root CA certificate, if any
host1#show ipsec ca identity mysecureca1
CA: mysecureca1 parameters:
enrollment url:http://192.168.10.124/scepurl
issuer id :BetaSecurityCorp
retry period :1
retry limit :60
crl setting :optional
proxy url :
show ipsec certificates
 |
NOTE: The show ike certificates command has been replaced by the show ipsec certificates command and may be removed completely in a future release. |
- Use to display the IKE certificates and CRLs on the router. Specify the type of certificate you want to display:
- all—All certificates configured on the router
- crl—Certificate revocation lists
- peer—Peer certificates
- public-certs—Public certificates
- root-cas—Root CA certificates
- Use the hex-format keyword to display certificate data, such as serial numbers, in hexadecimal format. Doing so allows easier comparison with CAs, such as Microsoft, that display certificates in hexadecimal format.
- Field descriptions
- Ca identity—Certificate authority that the router uses to generate certificate requests
- SubjectName—Distinguished name for the certificate
- IssuerName—Organization that signed and issued the certificate
- SerialNumber—Unique serial number assigned to the certificate by the CA
- SignatureAlgorithm—Algorithm used for the digital signature
- Validity—Beginning and ending period during which the certificate is valid
- PublicKeyInfo—Information about the public key
- Extensions—Fields that provide additional information for the certificate
- Fingerprints—Unique hash of the certificate, which can be used to verify that the certificate is valid
host1#show ipsec certificates public-certs
---------- Public Certificates: ----------
Ca Identity:[trustedca1]Certificate =
SubjectName = <C=us, O=junipernetworks, CN=jim>
IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA>
SerialNumber= 84483276204047383658902
SignatureAlgorithm = rsa-pkcs1-sha1
Validity =
NotBefore = 2003 Oct 21st, 16:14:42 GMT
NotAfter = 2004 Oct 21st, 16:24:42 GMT
PublicKeyInfo =
PublicKey =
Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
Modulus n (1024 bits) :
13409127965307061503054050053800642488356537668078160605242622661311625
19876607806686846822070359658649546374128540876213416858514288030584124
05896520823533525098960335493944208019747261524241389345208872551265097
58542773588125824612424422877870700028956172284401073039192457619002485
5366053321117704284702619
Exponent e ( 17 bits) :
65537
Extensions =
Available = authority key identifier, subject key identifier, key usage,
subject alternative name, authority information access, CRL distribution
points
SubjectAlternativeNames =
Following names detected =
DNS (domain name server name)
Viewing specific name types =
DNS = host1.kanata.junipernetworks.com
KeyUsage = DigitalSignature
CRLDistributionPoints =
% Entry 1
FullName =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
URI = http://vtsca1/CertEnroll/VTS%20Root%20CA.crl
% Entry 2
FullName =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
AuthorityKeyID =
KeyID =
15:0a:17:4d:36:b6:49:96:fa:d5:be:df:51:3e:e4:90:51:a2:c0:95
AuthorityCertificateIssuer =
Following names detected =
DN (directory name)
Viewing specific name types =
No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
AuthorityCertificateSerialNumber = 79592882508437425959858112994892506178
SubjectKeyID =
KeyId =
78:e0:3e:f7:24:65:2d:4b:01:d4:91:f9:66:c7:67:26:06:74:6c:5c
AuthorityInfoAccess =
AccessMethod = 1.3.6.1.5.5.7.48.2
AccessLocation =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
AccessMethod = 1.3.6.1.5.5.7.48.2
AccessLocation =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
Fingerprints =
MD5 = c4:c9:22:b6:19:07:4e:4f:ee:81:7a:9f:cb:f9:1f:7e
SHA-1 = 58:ba:fb:0d:68:61:42:2a:52:7e:19:82:77:a4:55:4c:25:8c:c5:60
host1#show ipsec certificates root-cas
---------- Root CAs: ----------
Ca Identity:[trustedca1]Certificate =
SubjectName = <C=CA, ST=ON, L=Kanata, O=Juniper Networks, OU=VTS Group, CN=VTS Root CA>
IssuerName = <C=CA, ST=ON, L=Kanata, O=BetaSecurityCorp, OU=VT Group, CN=VT Root CA>
SerialNumber= 79592882508437425959858112994892506178
SignatureAlgorithm = rsa-pkcs1-sha1
Certificate seems to be self-signed.
* Signature verification success.
Validity =
NotBefore = 2003 Mar 26th, 15:50:53 GMT
NotAfter = 2006 Mar 26th, 15:59:59 GMT
PublicKeyInfo =
PublicKey =
Algorithm name (SSH) : if-modn{sign{rsa-pkcs1-md5}}
Modulus n (1024 bits) :
14424807498766001201060433525671934401816213246866823722650117007030500
12414152472800629737773845549310833804653975288246486381759003010224672
53370575541853958272072875412915858260834056069053966369912244336288229
09443381900005615652631560044304863856421739848326865877661787314144447
8276502323232108941157077
Exponent e ( 17 bits) :
65537
Extensions =
Available = subject key identifier, key usage, basic constraints(critical),
CRL distribution points, unknown
KeyUsage = DigitalSignature NonRepudiation KeyCertSign CRLSign
BasicConstraints =
cA = TRUE
[critical]
CRLDistributionPoints =
% Entry 1
FullName =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
URI = http://vtsca1/CertEnroll/VTS%20Root%20CA.crl
% Entry 2
FullName =
Following names detected =
URI (uniform resource indicator)
Viewing specific name types =
No names of type IP, DNS, URI, EMAIL, RID, UPN or DN detected.
SubjectKeyID =
KeyId =
15:0a:17:4d:36:b6:49:96:fa:d5:be:df:51:3e:e4:90:51:a2:c0:95
Unknown 1.3.6.1.4.1.311.21.1 =
02:01:00 ...
Fingerprints =
MD5 = 8c:56:fb:a6:bd:ab:13:67:e6:13:09:c1:d0:de:1f:24
SHA-1 = 22:3d:84:6d:d4:5f:18:87:ae:2c:15:7d:2a:94:20:ff:c6:12:fb:6f
show ipsec identity
|
NOTE: The show ike identity command has been replaced by the show ipsec identity command and may be removed completely in a future release. |
- Domain Name—Domain name the router uses in IKE authentication messages and to generate certificate requests
- Common Name—Common name used to generate certificates
- Organization—Name of the organization used in the Subject Name field of certificates
- Country—Country used to generate certificates
host1#show ipsec identity
Ike identity:
Domain Name :myerx.kanata.junipernetworks.com
Common Name :jim
Organization:junipernetworks
Country :ca
show ipsec ike-configuration
|
NOTE: The show ike configuration command has been replaced by the show ipsec ike-configuration command and may be removed completely in a future release. |
- Ike identity—Information from your IKE identify configuration that the router uses to generate certificate requests
- CRL Check—Setting of the CRL check: optional, required, ignored
host1#show ipsec ike-configuration
Ike configuration:
Ike identity:
Domain Name :treverxsys2.juniper.net
Common Name :Sys2 ERX
Organization:Juniper Networks
Country :CA
CRL Check:optional
show ipsec key mypubkey rsa
- Use to display the 1024-bit or 2048-bit RSA public key configured on the router.
- The public key is generated as part of a public/private key pair used to perform RSA authentication during ISAKMP/IKE SA negotiations.
- For information about the format of an RSA public key, see Public Key Format.
- Example
host1#show ipsec key mypubkey rsa
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 009cfbde
a16cf72c 49fbd3c1 10d5d9d4 8ba15ec0 9adcb19e 18d488f8 e0370c51 2d10e751
ddd81be4 dfc78aad 9deb797f b2c51172 18967cfb e18f6efa 69285fef 10337527
78ca6bbc 907abb9e 44b12713 ab70cb0e a86d9c6c 80c99bd1 e2bf6b70 91222295
616a88bb cc479e15 be04f3a5 a6160645 844598c3 314b66af 3a8b7602 ed020301
0001
show ipsec key pubkey-chain rsa
- Use to display a 1024-bit or 2048-bit ISAKMP/IKE public key that a remote peer uses for RSA authentication.
- To display a brief summary of the remote peers for which public keys are configured on the router, use the summary keyword.
- To display the public key for a remote peer with a specific IP address, use the address keyword followed by the IP address, in 32-bit dotted decimal format.
- To display the public key for a remote peer with a specific identity, use the name keyword followed by either:
- The fully qualified domain name (FQDN)
- The FQDN preceded by an optional user@ specification; this is also referred to as user FQDN format
- The FQDN and user FQDN identifiers are case-sensitive and must exactly match the identifier specified in the ipsec key pubkey-chain rsa command. For example, a public key for user FQDN mjones@sales.company_abc.com does not match a public key for FQDN sales.company_abc.com.
- For information about the format of an RSA public key, see Public Key Format.
- Field descriptions
- Remote Peer—IP address, FQDN, or user FQDN identifier of the remote peer for which the peer public key can be used
- Key Type—Type of remote peer identifier: ip address (if IP address is specified) or identity (if FQDN or user FQDN is specified)
host1#show ipsec key pubkey-chain rsa summary
Remote Peer Key Type
----------------------------- ----------
192.168.32.3 ip address
grp003.cust535.isp.net identity
tsmith@grp003.cust535.isp.net identity
host1#show ipsec key pubkey-chain rsa address 192.168.32.3
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 0082065f
841aa03a fadfda9f bf8be05c d2fe3596 abc3e265 0b86b99a df9b4907 29c7a737
8bf08491 5c96e72d 28471a12 f0735ff4 04d76ad1 3a80f10c 23dcadda b68ce8ec
5fdfbe58 a52008db 9a11f867 d38d0483 e4abd53c 89a4dc3c 985ea450 f17748c4
3f04def0 a3cf5d89 b62dfeae 5990641b 370bb113 73105ba7 585a41fc 3b020301
0001
host1#show ipsec key pubkey-chain rsa name grp003.cust535.isp.net
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00c03cc6 0bad55ea b4f8a01f 5cf69de5 f03185e2 1338b5cb fa8418c3 6cbe1a77
bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf
d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a
5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff
2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a2531
9787ce37 2601bdf9 1434b174 4fd21cf2 48e10f58 9ac89df1 56e360b1 66fb0b3f
27ad6396 7a491d74 3b8379ea be502979 8f0270b2 6063a474 fadc5f18 f0ca6f7a
ddea66c7 cf637598 9cdb5087 0480af29 b9c174ab 1b1d033f 67641a8c 5918ddce
1f020301 0001
host1#show ipsec key pubkey-chain rsa name tsmith@grp003.cust535.isp.net
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bcc106
8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51
f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74
cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b
29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301
0001