Example: Reenrolling Local Certificates Automatically (CLI)

You can enable the device to automatically renew certificates that were acquired by online enrollment or loaded manually. This feature saves you from having to remember to renew certificates on the device before they expire, and it helps to maintain valid certificates at all times.

Automatic certificate renewal is disabled by default. You can configure the device to automatically send out a request to renew a certificate before it expires. You can set the time when you want the device to send out the certificate renewal request in number of days and minutes before the expiration date. By setting different times for each certificate, you prevent the device from having to renew all certificates at the same time.

Before you begin: Obtain a certificate either online or manually. See Enabling Digital Certificates Online: Configuration Overview.

For this feature to work, the device must be able to reach the SCEP server, and the certificate must be present on the device during the renewal process. Furthermore, for this feature to work, you must also ensure that the CA issuing the certificate can return the same DN. The CA must not modify the subject name and alternate subject name extension in the new certificate.

You can enable and disable automatic SCEP certificate renewal for all SCEP certificates or on a per-certificate basis.

To enable and configure certificate reenrollment use the set security pki auto-re-enrollment command with the following information:

For example:

user@host# set security pki auto-re-enrollment certificate-id sm1 ca-profile-name aaa challenge-password abc re-enroll-trigger-time-percentage 10 re-generate-keypair

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.