show security pki local-certificate (View)
Syntax
show security pki local-certificate<brief|detail><certificate-idcertificate-id-name><system-generated>
Description
Display information about the local digital certificates, corresponding public keys, and the automatically generated self-signed certificate configured on the device.
Options
-
none—Display basic information about all configured local digital certificates, corresponding public keys, and the automatically generated self-signed certificate.
-
brief|detail—(Optional) Display the specified level of output. -
certificate-id
certificate-id-name—(Optional) Display information about only the specified local digital certificates and corresponding public keys. -
system-generated—Display information about the automatically generated self-signed certificate.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the
show security pki local-certificate command. Output fields are listed in
the approximate order in which they appear.
|
Field Name |
Field Description |
|---|---|
|
|
Name of the digital certificate. |
|
|
Revision number of the digital certificate. |
|
|
Unique serial number of the digital certificate. Starting in Junos OS Release 20.1R1, PKI local certificate serial number is displayed with 0x as prefix to indicate that the PKI local certificate is in the hexadecimal format. Starting in Junos OS Release 21.4R1, you can view the serial number of the digital certificate in both hexadecimal and decimal formats. |
|
|
Device that was issued the digital certificate. |
|
|
Authority that issued the digital certificate. |
|
|
Authority that issued the digital certificate, including details of the authority organized using the distinguished name format. Possible subfields are:
|
|
|
Name of the logical systems. |
|
|
Details of the digital certificate holder organized using the distinguished name format. Possible subfields are:
If the certificate contains multiple subfield entries, all entries are displayed. |
|
|
Subject field as it appears in the certificate. |
|
|
Domain name or IP address of the device related to the digital certificate. For multiple FQDNs, displays only the last FQDN details. Starting Junos OS Release 22.4R2, with multiple FQDNs, this option shows all domain names, IPv4 or IPv6 addresses and email addresses related to the digital certificate configured on the device. |
|
|
Starting in Junos OS Release 21.4R1, you can view the certificate chain for a given local certificate. |
|
|
Time period when the digital certificate is valid. Values are:
|
|
|
Encryption algorithm used with the private key, such as
|
|
|
Public key verification status: |
|
|
Encryption algorithm that the CA used to sign the digital certificate, such as
|
|
|
Secure Hash Algorithm ( Starting in Junos OS Release 21.4R1, you can also view the SHA-256 fingerprint for a local certificate along with SHA-1 and MD-5 fingerprints. |
|
|
Distinguished name information and URL for the certificate revocation list
( |
|
|
Use of the public key, such as |
Sample Output
- show security pki local-certificate certificate-id hello
- show security pki local-certificate system-generated
- show security pki local-certificate system-generated detail
- show security pki local-certificate detail (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
show security pki local-certificate certificate-id hello
user@host> show security pki local-certificate certificate-id hello
LSYS: root-logical-system
Certificate identifier: hello
Issued to: tc5-5-1, Issued by: DC = Juniper, CN = root-551-AAA
Validity:
Not before: 10-14-2021 21:41 UTC
Not after: 02-13-2026 14:27 UTC
Public key algorithm: rsaEncryption(1024 bits)
Keypair Location: Keypair generated locally
show security pki local-certificate system-generated
user@host> show security pki local-certificate system-generated LSYS: root-logical-system Certificate identifier: system-generated Issued to: 4a505bb373d7, Issued by: CN = 4a505bb373d7, CN = system generated, CN = self-signed Validity: Not before: 07-12-2019 22:23 UTC Not after: 07-10-2024 22:23 UTC Public key algorithm: rsaEncryption(2048 bits) Keypair Location: Keypair generated locally
show security pki local-certificate system-generated detail
user@host> show security pki local-certificate system-generated detail
LSYS: root-logical-system
Certificate identifier: system-generated
Certificate version: 3
Serial number:
hexadecimal: 0x23171f4f104463e2847bc792c39eb614
decimal: 46643037698975347221422984685160412692
Issuer:
Common name: 4a505bb373d7, Common name: system generated, Common name: self-signed
Subject:
Common name: 4a505bb373d7, Common name: system generated, Common name: self-signed
Subject string:
CN=4a505bb373d7, CN=system generated, CN=self-signed
Validity:
Not before: 07-12-2019 22:23 UTC
Not after: 07-10-2024 22:23 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:d5:7e:5e:7a:15:90:e3:23:07:8e:e3
4b:40:0e:95:33:31:8c:17:0b:d1:78:48:2e:b5:e8:cb:44:03:f1:fd
00:57:af:e9:d9:2c:78:96:04:37:3c:4a:65:d9:f1:fb:72:14:7f:b2
d3:42:d3:84:be:e8:c5:6c:e2:f5:91:8a:41:02:30:a7:8b:2f:10:5e
ab:5e:4e:d7:d6:f1:e7:ad:e3:6c:16:8d:6b:3c:0e:11:e9:26:8a:38
99:78:0a:57:67:cc:0a:ea:fa:35:2b:f3:51:4e:cc:30:ee:e9:a7:0a
26:14:42:fc:1b:22:ec:2d:0c:3b:10:d5:fb:e3:e6:ae:c6:cc:e7:de
0f:cf:4d:a7:87:11:e1:4e:7f:33:69:c0:16:4e:80:c8:57:b4:9a:f8
90:15:d8:e6:3e:06:7a:1c:a3:34:91:92:a6:88:9f:14:f5:89:39:da
0f:88:1c:b0:bd:7d:46:23:b2:42:e8:6f:d2:34:9e:f2:bd:00:34:23
99:4e:bb:39:0e:e4:bb:b2:9b:53:02:36:30:10:b7:28:e3:c4:8c:0e
4c:fd:cf:4f:58:81:72:91:b4:82:18:cf:ba:f6:76:59:f2:d5:36:e1
3a:29:20:72:02:5b:26:45:6f:92:0c:8e:dc:6c:d4:1c:78:55:db:66
3a:e9:9a:9c:81:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Fingerprint:
0b:08:f8:bc:c6:a3:c1:41:75:2b:48:da:5d:a7:0f:d8:99:45:cd:8a (sha1)
8a:1b:b9:79:19:c6:c3:88:05:a8:05:28:3c:f2:b0:e9 (md5)
a3:9b:c1:c4:55:a8:f8:79:6f:a9:27:fc:f8:5a:af:45:37:dd:42:5f:2f:2b:bb:85:e3:f0:d7:99:9d:93:65:b1 (sha256)
show security pki local-certificate detail (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
Starting in Junos OS Release 21.4R1, execute the show security pki
local-certificate detail command to view:
- the CA certificate chain for a local certificate. The output field
cert-chaindisplays the CA certificate chain.if there is no certificate chain available for a given local certificate, then the
cert-chainfield displays the Issuer/Root CA name. If certificate chain exists, thencert-chaindisplays the Root-CA, followed by intermediate CA’s. - the local certificate serial number in both hexadecimal and decimal format.
- the SHA-256 fingerprint for a local certificate.
user@host> show security pki local-certificate certificate-id localcert-Sub11 detail
LSYS: root-logical-system
Certificate identifier: localcert-Sub11
Certificate version: 3
Serial number:
hexadecimal: 0x0000202f
decimal: 8239
Issuer:
Organization: juniper, Country: us, Common name: Sub11-CA
Subject:
Organizational unit: net_name, Common name: localcert-Sub11, Domain component: Juniper
Subject string:
DC=Juniper, CN=localcert-Sub11, OU=net_name
Alternate subject: "localcert-Sub11@juniper.net", localcert-Sub11.juniper.net, 3.3.3.1, ipv6 empty
Cert-Chain: Root-CA , Sub1-CA , Sub11-CA
Validity:
Not before: 05-19-2021 16:30 UTC
Not after: 05-17-2031 08:05 UTC
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:ae:16:b6:d7:72:34:9e:ef:4b:9b:e2:c8:d1
8b:2a:e4:04:16:7a:06:ac:d6:be:96:e3:2f:2b:ac:b9:28:42:1b:c4
ef:10:1e:7d:76:a5:8f:c4:fa:b5:b6:c1:7d:53:15:b7:85:f0:aa:4c
af:9d:35:1e:06:dc:38:ce:40:70:b3:63:b9:4c:55:eb:ba:61:85:40
71:32:ec:5a:3a:83:1f:e3:bf:0f:8d:cd:f7:29:44:e2:c6:a3:10:62
bb:aa:f1:ae:cc:6e:ef:8a:4e:cc:03:cf:e9:35:c5:8f:7a:21:a9:ee
9b:c1:2d:a3:7b:94:6f:db:2a:d7:01:0a:1c:1b:c3:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Distribution CRL:
http://10.48.148.132:8080/crl-as-der/currentcrl-23.crl?id=23
Authority Information Access OCSP:
http://10.48.148.132:8090/Sub11-CA/
Fingerprint:
4b:04:da:b1:03:a6:a2:fc:24:d4:e3:ec:61:7a:d0:10:97:10:25:9e (sha1)
e4:6a:3d:90:a1:a2:ec:5b:3b:de:c6:3f:16:1d:02:d5 (md5)
40:d3:95:c6:3c:5e:0e:cd:32:ca:63:76:e9:83:8e:ca:ec:8a:c7:0e:84:bb:e5:a5:bc:e4:25:0c:54:0c:23:51 (sha256)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started
Release Information
Command modified in Junos OS Release 9.1.
Subject string output field added in Junos OS Release 12.1X44-D10.
Cert-Chain,
hexadecimal
and
decimal
for
Serial
Number,
(sha256)
for
Fingerprint
output fields are added in Junos OS Release 21.4R1.