Appendix D: Simple Certificate Enrollment Protocol

During the normal life cycle of a PKI certificate, managing a local certificate expiration involves following the tasks that an administrator has to perform :

• Delete the existing certificate, certificate request, and key pair.
• Generate a new key pair.
• Generate a new certificate request.
• Load the newly issued local certificate onto the device.

By using Simple Certificate Enrollment Protocol (SCEP), an administrator can manage the expiration of local certificates by automatically reenrolling and retrieving new certificates. Also, SCEP can ease the process of the initial certificate request and retrieval process by automatically retrieving the certificate from the certificate authority (CA) server (if the CA server supports SCEP).

The Junos OS Release with Enhanced Services 9.0 or later supports SCEP. Currently only the Microsoft SCEP is supported. Support for the Verisign SCEP and Entrust SCEP is not currently available.

Note: You can troubleshoot SCEP related issues by enabling PKI traceoptions within the security PKI hierarchy.

To configure SCEP:

1. Generate the key-pair:
   
   

   user@host> request security pki generate-key-pair certificate-id mscert1 size 1024

   Generated key pair mscert1, key size 1024 bits

2. Configure the SCEP server under the security PKI hierarchy:
   user@host> configureEntering configuration mode[edit]user@host# edit security pki[edit security pki]user@host# set ca-profile msca-profile ca-identity msca2000 enrollment url http://172.19.50.129/certsrv/mscep/mscep.dll retry 3 retry-interval 3[edit security pki]user@host# showca-profile msca-profile {ca-identity msca2000;enrollment {url http://172.19.50.129/certsrv/mscep/mscep.dll;retry 3;retry-interval 3;}}[edit security pki]user@host# commit and-quit
3. Generate your local certificate by enrolling through SCEP.
   user@host> request security pki local-certificate enroll ca-profile msca-profile certificate-id mscert1 challenge-password "" domain-name tacdomain.com subject "CN=testuser,OU=Support,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US"
4. Enroll your CA certificate (if required).
   
   

   user@host> request security pki ca-certificate enroll ca-profile msca-profile

   Fingerprint:
   1b:02:cc:cb:0f:d3:14:39:51:aa:0f:ff:52:d3:38:94:b7:11:86:30 (sha1)
   90:60:53:c0:74:99:f5:da:53:d0:a0:f3:b0:23:ca:a3 (md5)
   Do you want to load the above CA certificate ? [yes,no] (no) yes
   CA certificate for profile msca-profile loaded successfully

5. When the certificate is loaded, configure auto-reenrollment.
   Example:user@host> configureEntering configuration mode[edit]user@host# edit security pki[edit security pki]user@host# set auto-re-enrollment certificate-id mscert1 ca-profile-name msca-profile challenge-password "" re-enroll-triggertime- percentage 5 re-generate-keypair[edit security pki]user@host# showca-profile msca-profile {ca-identity msca-id;enrollment {url http://172.19.50.129/certsrv/mscep/mscep.dll;retry 3;retry-interval 3;}}auto-re-enrollment {certificate-id mscert1 {ca-profile-name msca-profile;challenge-password "$9$jx"; ## SECRET-DATAre-enroll-trigger-time-percentage 5;re-generate-keypair;}}[edit security pki]user@host# commit and-quit

Related Topics

• Introduction to PKI in Junos OS
• Example: Configuring the PKI in Junos OS
• Verifying the PKI Configuration
• Appendix A: Frequently Asked Questions
• Glossary of PKI Related Terms