Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Introduction to PKI in Junos OS
This document provides an overview of PKI (Public Key Infrastructure) in Junos OS, architecture of the virtual private network (VPN) based on PKI authentication, step-by-step instructions on configuring and troubleshooting of PKI in Junos OS, and FAQ (frequently asked questions) on PKI with respect to your SRX series or J-Series devices.
This document is intended for network design and security engineers, as well as anyone that requires secure connectivity over public networks.
 | Note: For more details on digital certificates, see the Junos System Basics Guide available at: http://www.juniper.net/techpubs/software/junos/. For information on crypto, RSA, and PKI, visit the website http://www.rsasecurity.com/rsalabs. For a list of PKI-related technical terms, see the Glossary of PKI Related Terms. |
This topic describes the basic elements of public key infrastructure (PKI) in Junos OS, including components of the PKI, certificate life cycle management, and usage within Internet Key Exchange (IKE) and includes the following sections:
- Fundamentals of the PKI
- PKI Applications Overview
- Components for Administering PKI in Junos OS
- Basic Elements of PKI in Junos OS
Fundamentals of the PKI
Junos OS is the Juniper Networks single operating system and provides the following features:
- Powerful operating system with rich IP services toolkit.
- Unmatched IP dependability and security to ensure an efficient and predictable IP infrastructure.
- Enhanced security and VPN capabilities from Juniper Networks Firewall/IP Security (IPsec) VPN platforms including the SSG product family.
PKI Applications Overview
The Junos OS uses public/private keys in the following areas:
- SSH/SCP (for secure command-line interface [CLI]-based administration)
- Secure Sockets Layer (SSL) (for secure Web-based administration and for https-based webauth for user authentication)
- Internet Key Exchange (IKE) (for IPsec VPN tunnels)
| Note: Note the following points:
|
Components for Administering PKI in Junos OS
The following components are required for administrating PKI in Junos OS:
- CA certificates and authority configuration
- Local certificates including the devices identity (example: IKE ID type and value) and private and public keys
- Certificate validation through a certificate revocation list (CRL)
Basic Elements of PKI in Junos OS
Junos OS supports three specific types of PKI objects:
- Private/public key pair
Certificates
- Local certificate—The local certificate contains the public key and identity information for the Juniper Networks device. The Juniper Networks device owns the associated private key. This certificate is generated based on a certificate request from the Juniper Networks device.
- Pending certificate — A pending certificate contains
a key pair and identity information that is generated into a PKCS10
certificate request and manually sent to a certificate authority (CA).
While the Juniper Networks device waits for the certificate from the
CA, the existing object (key pair and the certificate request) is
tagged as a certificate request or pending certificate.
Note: Junos OS Release 9.0 or later supports automatic sending of certificate requests through SCEP. For more information, see Appendix D: Simple Certificate Enrollment Protocol .
- CA certificate — When the certificate is issued by the CA and loaded into the Junos device, the pending certificate is replaced by the newly generated local certificate. All other certificates loaded into the device are considered CA certificates.
- Certificate revocation lists (CRLs)
Note the following points about certificates:
- Local certificates are generally used when a Junos device has VPNs in more than one administrative domain.
- All PKI objects are stored in a separate partition of persistent memory, apart from the Junos image and the system’s general configuration.
- Each PKI object has a unique name or certificate-ID given to it when it is created and maintains that ID until its deletion. You can view the certificate-ID using the CLI command show security pki local-certificate .
- A certificate cannot be copied from a device (generally). The private key on a device must be generated on that device only, and it should never be viewed or saved from that device. So PKCS12 files (which contain a certificate with the public key and the associated private key) are not supported on Junos devices.
- CA certificates validate the certificates received by
the IKE peer. If the certificate is valid, then it is verified in
the CRL to see whether the certificate has been revoked.
Each CA certificate includes a CA profile configuration that stores the following information:
- CA identity, which is typically the domain name of the CA
- E-mail address for sending the certificate requests directly to the CA
Revocation settings:
- Revocation check enable/disable option
- Disabling of revocation check incase of CRL download failure.
- Location of CDP (CRL Distribution Point) (for manual URL setting)
- CRL refresh interval
Junos OS supports multiple local certificates, depending on the device size. See Appendix A: Frequently Asked Questions for details.
Table 1 provides information on possible PKI objects and their average sizes.
Table 1: PKI Objects and Average Sizes
PKI Objects | Average Sizes |
|---|---|
Private/public key pair | 1 KB |
Local certificate | 2 KB |
CA certificate | 2 KB |
CA authority configuration | 500 bytes |
CRL (average size is a variable that depends on how many certificates have been revoked by that particular CA) | 300 bytes up to 2 MB+ |
Example:
Calculating flash memory requirements:
Assume the following settings in a Junos device:
- An average CRL of 10 KB
- One local certificate, one CA certificate, and CA authority configuration
The flash memory requirements for CRL =
2 KB (local certificate) + 1 KB (key pair) + 2 KB (CA certificate) + 0.5 (CA authority configuration) + 10 (CRL) = 15.5 KB
| Note: Note the following points about certificate chains:
|
