Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Verifying the PKI Configuration
Purpose
To verify the PKI configuration.
Action
Use the show configuration command to verify PKI configuration.
user@host>show configurationsystem {host-name host;time-zone PST8PDT;root-authentication {encrypted-password "$1$wUchK29B$IACQWVtsyF2PBlKtl1Air.";
## SECRET-DATA}name-server {4.2.2.1;4.2.2.2;}services {ssh;telnet;web-management {http {interface ge-0/0/0.0;}}}syslog {user * {any emergency;}file messages {any any;authorization info;}file interactive-commands {interactive-commands any;}}}interfaces {ge-0/0/0 {unit 0 {family inet {address 10.10.10.1/24;}}}ge-0/0/3 {unit 0 {family inet {address 1.1.1.2/30;}}}}routing-options {static {route 0.0.0.0/0 next-hop 1.1.1.1;}}security {ike {traceoptions {flag ike;flag policy-manager;flag routing-socket;flag certificates;}proposal rsa-prop1 {authentication-method rsa-signatures;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}policy ike-policy1 {mode main;proposals rsa-prop1;certificate {local-certificate ms-cert;trusted-ca use-all;peer-certificate-type x509-signature;}}gateway ike-gate {ike-policy ike-policy1;dynamic hostname ssg5.juniper.net;external-interface ge-0/0/3;}}ipsec {policy vpn-policy1 {perfect-forward-secrecy {keys group2;}proposal-set standard;}vpn ike-vpn {ike {gateway ike-gate;ipsec-policy vpn-policy1;}}}zones {security-zone untrust {address-book {address remote-net 192.168.168.0/24;}host-inbound-traffic {system-services {ike;}}interfaces {ge-0/0/3.0;}}security-zone trust {address-book {address local-net 10.10.10.0/24;}host-inbound-traffic {system-services {all;}}interfaces {ge-0/0/0.0;}}}policies {from-zone trust to-zone untrust {policy tunnel-policy-out {match {source-address local-net;destination-address remote-net;application any;}then {permit {tunnel {ipsec-vpn ike-vpn;pair-policy tunnel-policy-in;}}}}policy any-permit {match {source-address any;destination-address any;application any;}then {permit {source-nat {interface;}}}}}from-zone untrust to-zone trust {policy tunnel-policy-in {match {source-address remote-net;destination-address local-net;application any;}then {permit {tunnel {ipsec-vpn ike-vpn;pair-policy tunnel-policy-out;}}}}}}flow {tcp-mss {ipsec-vpn {mss 1350;}}}pki {ca-profile ms-ca {ca-identity labdomain.com;revocation-check {crl {url http://labsrv1.labdomain.com/CertEnroll/LABDOMAIN.crl;}}}traceoptions {file size 1m;flag all;}}}
 | Note: In the above output sample of show configuration command, highlighted lines are for traceoption configurations for troubleshooting purposes. |
