Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking Certificates

Use the show security pki local-certificate CLI command to check your local certificates. Ensure that you are within the certificate’s valid dates. The ssl-inspect-ca certificate is used for SSL proxy. Show below are some examples. Your output may look different as these are dependent on your setup and location.

user@host> show security pki local-certificate
Certificate identifier: ssl-inspect-ca
  Issued to: www.juniper_self.net, Issued by: CN = www.juniper_self.net, OU = IT
, O = Juniper Networks, L = xxxxx, ST = xxxxx, C = IN
  Validity:
    Not before: 11-24-2015 22:33 UTC
    Not after: 11-22-2020 22:33 UTC
  Public key algorithm: rsaEncryption(2048 bits)

Certificate identifier: argon-srx-cert
  Issued to: xxxx-xxxx_xxx, Issued by: C = US, O = Juniper Ne
tworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX dev
ices, emailAddress = xxx@juniper.net
  Validity:
    Not before: 10-30-2015 21:56 UTC
    Not after: 01-18-2038 15:00 UTC
  Public key algorithm: rsaEncryption(2048 bits)

Use the show security pki ca-certificate command to check your CA certificates. The argon-ca certificate is the client certificate’s CA while the argon-secintel-ca is the server certificate’s CA. Ensure that you are within the certificate’s valid dates.

root@host> show security pki ca-certificate
Certificate identifier: argon-ca
  Issued to: SecIntel (junipersecurity.net) subCA for SRX devices, Issued by: C
= US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.ne
t) CA, emailAddress = xxx@juniper.net
  Validity:
    Not before: 05-19-2015 22:12 UTC
    Not after: 05- 1-2045 15:00 UTC
  Public key algorithm: rsaEncryption(2048 bits)

Certificate identifier: argon-secintel-ca
  Issued to: SecIntel (junipersecurity.net) CA, Issued by: C = US, O = Juniper N
etworks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) CA, emailAddress
 = xxx@juniper.net
  Validity:
    Not before: 05-19-2015 03:22 UTC
    Not after: 05-16-2045 03:22 UTC
  Public key algorithm: rsaEncryption(2048 bits)

When you enroll an SRX Series device, the ops script installs two CA certificates: one for the client and one for the server. Client-side CA certificates are associated with serial numbers. Use the show security pki local-certificate detail CLI command to get your device’s certificate details and serial number.

user@host> show security pki local-certificate detail 
Certificate identifier: aamw-srx-cert
  Certificate version: 3
  Serial number: xxxxxxxxxx
  Issuer:
    Organization: Juniper Networks Inc, Organizational unit: SecIntel, Country: US,
    Common name: SecIntel (junipersecurity.net) subCA for SRX devices
  Subject:
    Organization: xxxxxxxxxx, Organizational unit: SRX, Country: US,
    Common name: xxxxxxxxxx
  Subject string: 
    C=US, O=xxxxxxxx, OU=SRX, CN=xxxxxxxx, emailAddress=secintel-ca@juniper.net
  Alternate subject: secintel-ca@juniper.net, fqdn empty, ip empty
  Validity:
    Not before: 11-23-2015 23:08 UTC
    Not after: 01-18-2038 15:00 UTC

Then use the show security pki crl detail CLI command to make sure your serial number is not in the Certificate Revocation List (CRL). If your serial number is listed in the CRL then that SRX Series device cannot connect to the cloud server.

user@host> show security pki crl detail 
CA profile: aamw-ca
  CRL version: V00000001
  CRL issuer: C = US, O = Juniper Networks Inc, OU = SecIntel, CN = SecIntel (junipersecurity.net) subCA for SRX devices, emailAddress = secintel-ca@juniper.net
  Effective date: 11-23-2015 23:16 UTC
  Next update: 11-24-2015 23:16 UTC
  Revocation List: 
    Serial number              Revocation date
    xxxxxxxxxxxxxxxxx			    10-26-2015 17:43 UTC       
    xxxxxxxxxxxxxxxxx			    11- 3-2015 19:07 UTC 
    ...      

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit