Monitoring and Clearing Digital Certificates

You can issue various forms of the show security pki command to view digital certificates and certificate requests and certificate revocation lists:

• To display the CA digital certificate, issue the show security pki ca-certificate ca-profile ca-profile-name command.
• To display the local digital certificate and the public key used to enroll the certificate, issue the show security pki local-certificate certificate-id certificate-id-name command.
• To display the local certificate request in PKCS-10 format, issue the show security pki certificate-request certificate-id certificate-id-name command.
• You can also view which digital certificates are used in IKE negotiations to establish IPSec tunnels by issuing the show services ipsec-vpn certificates command.
• To display the certificate revocation list, issue the show security pki crl ca-profile ca-profile-name command.
• To determine if a certificate is enabled for automatic-reenrollment, issue the show security pki command.

Variations of the clear security pki command enable you to delete certificates or requests and certificate revocation lists:

• To delete the CA digital certificate, issue the clear security pki ca-certificate ca-profile ca-profile-name command.
• To delete the local digital certificate and the associated private/public key pair, issue the clear security pki local-certificate certificate-id certificate-id-name command.
• To delete the local certificate request, issue the clear security pki certificate-request certificate-id certificate-id-name command.
• To clear the digital certificates that were used in IKE negotiations to establish IPSec tunnels, issue the clear services ipsec-vpn certificates command.
• To delete the certificate revocation list, issue the clear security pki crl ca-profile ca-profile-name command.

To see a full example showing the use of digital certificates in an IPSec topology, see Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration. For more information about operational mode commands used with digital certificates, see the JUNOS System Basics and Services Command Reference. For more information about configuration statements used with digital certificates, see the J-series Services Router Advanced WAN Access Configuration Guide, the JUNOS System Basics Configuration Guide, and the JUNOS Services Interfaces Configuration Guide.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.