Appendix A: Frequently Asked Questions

• Does Juniper Networks provide a CA with its products?

  No. If you want to use a public key infrastructure (PKI), you must obtain third party certificate authority (CA) software to implement the PKI or use a service such as Verisign.

• What version of X.509 certificates are supported (V1 or V3)?

  Juniper Networks support both versions of X.509 certificates. However, you must use V3 if you want to use the SubjectAlternativeName extension field for a non-DN (distinguished name) Internet Key Exchange (IKE) ID type (for example, IP address, e-mail address, or fully qualified domain name [FQDN]).

• Does the Junos device support multiple certificates?

  Yes, the Junos device can generate multiple key pairs, and multiple certificate requests, and have multiple local certificates loaded. The specific quantity of certificates depends on the particular platform.

• Can the Junos device use the same DN for different local certificates?

  The Junos device does not support multiple certificates with the same subject (or DN) name on a single Junos device. Therefore, we recommend using a separate subject name for every key pair to avoid confusion. Some CAs also have limitations on supporting multiple key pairs for the same subject name.

• Can the Junos device auto-generate common name (CN) field values such as FQDN and serial number in the DN?

  The Junos device does not auto-generate CN values such as FQDN and serial number. The FQDN or any other CN values must be specified during the certificate request procedure.

• Does the Junos device support a hierarchical certificate authority (CA) chain?

  Yes, the Junos device can validate certificates up through a chain of CA certificates.

• How many levels of a certificate authority (CA) chain can the Junos device validate?

  Seven.

• I have many levels in my certificate authority (CA) chain, and my CRL Distribution Point (CDP) servers are slow; How do I keep IKE from timing out?

  Try adjusting the refresh interval for the certificate revocation list (CRL) so that the CRL is not checked very frequently. This is at the expense of potentially allowing a certificate which may have been revoked by the CA.

• Does Juniper Networks support PKCS10 for certificate requests?

  Yes, PKCS10 certificate requests can be generated by the Junos device. These certificate requests can be copied using the command-line interface (CLI), sent through e-mail, or uploaded to an FTP server.

• Does Juniper Networks support PKCS12 certificate packages?

  No, the Junos device does not accept a PKCS12 file. The Junos device must generate its own private key. Also, a Junos device does not generate a PKCS12 file for exporting its private/public keys and certificate. This approach provides more protection and reduces the possibility that someone could steal a device’s keys and thereby impersonate that device.

• Does the private key ever leave the Junos device?

  No, but in future Junos OS Releases, the private key may be copied from the active to the backup unit of a device if that device is part of chassis clustering or a Junos Services Redundancy Protocol (JSRP) pair as an RTO (run-time object).

• What special characters should I avoid?

  We support printable strings, minus reserved characters. We use as delimiters such as the comma. Names with an underscore (_) can also potentially cause problems.

• What RFC does Juniper support for public key infrastructure (PKI)?

  We follow RFC3280. We also have all the required security features of RFC2459 (the predecessor of RFC3280).

• What are the PKI objects stored in flash and run-time memory?

  Certificate authority (CA) certificate, CA certificate revocation list (CRL), CA profile configuration, local key pair, and local certificate or pending certificate.

• How are these PKI objects related?

  Each CA certificate typically uses three objects (CA certificate, CRL, and CA profile configuration). Each local certificate uses two objects (certificate and key pair). A pending certificate is a PKCS10 file that has been generated and sent to a CA. When the signed certificate from the CA is installed the pending certificate object is replaced with the local certificate.

• What are average sizes for PKI objects?

  Average sizes of items:

  • CRLs vary, depending on how many certificates a particular CA has revoked: minimum of 300 bytes to a maximum of 5MB.
  • Certificates average 2K bytes each.
  • Key pairs average 1K bytes each.
  • CA profile configurations average 500 bytes each.
• What is the maximum size of a CRL?

  The maximum size supported in Junos OS Release 8.5 is 5 MB.

• How do you disable CRL checking?

  CRL checking is configurable per CA profile.

  The command syntax for disabling CRL checking is – set security pki caprofile ca-profile revocation-check disable followed by commit.

• Why does the Junos device not use or support two sets of keys for a virtual private network (VPN)?

  In general, while setting up a PKI for e-mail and file encryption and signing, you should use two sets of keys. While you certainly want two sets of keys when encrypting e-mails and files (one set for signing and one set for encryption) you do not need two sets for the VPN. RSA keys are used only for authentication in IPsec, and so you do not need the second set of keys for things like long-term storage of encrypted material.

• Does Juniper Networks support CA Cross-certification? In other words, if one Junos device uses a certificate from one root CA, and another Junos device uses a certificate from a different root CA, are cross-certified. Can these two certificates validate each other's certificates and form the VPN tunnel properly?

  Yes, it can be done by using the PKCS7 certificate type. Using cross-certification, we can form a full certificate path to the root certificate stored locally.

• Which certificate formats does Junos OS supports?

  Junos OS follows the PKI profile described in RFC 3280 and supports:

  • Installation of end-entity (EE) or CA certificate
  • Encode, including the X509 or PKCS7, DER or PEM
  • Compatibility with X.509 v3 and handling of extensions defined in RFC3280.
• Does Junos OS support chassis clustering (high availability) for PKI certificates?

  Junos OS Release 8.5 does not currently support high availability (HA) or JSRP with PKI. Future releases may support the transferring of a device key pair and local certificates between two HA peers. Check release notes for upcoming releases to see whether this is supported in releases later than 8.5.

• How is the public key of a key pair bound to a certificate request?

  When generating a new key pair, a certificate-ID must be specified. This certificate-ID is also used for the certificate request and again when the local certificate is loaded. To completely delete a certificate request and key pair, use the clear security pki operational mode command. Two clear operations are needed: one to clear the certificate request and another to clear the key pair.

• Why not delete both the certificate and the key pair at the same time?

  Some administrators prefer the ability to keep the same key pair and use a new certificate with them. This allows deletion of the old certificate without destroying the old key pair.

• Does Junos OS support Digital Signature Algorithm (DSA) keys?

  No, currently only RSA keys are supported. DSA keys may be supported in future releases.

• Is Junos ICSA certified?

  Not yet, although many of the security features in Junos OS were sourced from Juniper Networks ScreenOS products which are certified for version 1.2.

  For more information regarding ICSA certification, see the ICSA Labs website at http://www.icsalabs.com/.

• Is OCSP supported for revocation checking?

  Not currently, but it may be supported in a future release.

• Are there special characters to consider when doing PKI?

  Yes, the comma (,) is a special character in ASN.1 DN and requires an escape character, to use which is the backslash (\).

  The UTF-8 encoded string should not have any of the following characters:

  • A space or pound (#) character occurring at the beginning of the string;
  • A space character occurring at the end of the string;
  • One of the characters comma (,), plus (+), double quote(""), backslash (\), less than or left triangle bracket (<), greater than or right triangle bracket (>), or semi-colon (;).

    If the comma (,) character needs to be escaped, then it should be prefixed by a backslash (\) (ASCII 92).

• I want my CRL Distribution Point (CDP) function to communicate through a VPN tunnel. How do I set that up so the Junos device will source the IP from an internal interface that matches a tunnel definition and not source the packet from the egress (outgoing) interface which does not match a tunnel policy (even though that interface is the tunnel endpoint/gateway IP itself)?

  This is currently not supported in Junos OS.

Related Topics

• Introduction to PKI in Junos OS
• Example: Configuring the PKI in Junos OS
• Verifying the PKI Configuration
• Glossary of PKI Related Terms