Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


show ipsec certificates



(Encryption interface on M Series and T Series routers only) Display information about the IPsec certificate database.



Display standard information about all of the entries in the IPsec certificate database.

brief | detail

(Optional) Display the specified level of output.

crl crl-name | serial-number

(Optional) Display information about the entries on the certificate revocation list (CRL) or for the specified serial number. A CRL is a timestamped list identifying revoked certificates. The CRL is signed by a certificate authority (CA) or CRL issuer and made freely available in a public repository. Each revoked certificate is identified in a CRL by its certificate serial number.

Required Privilege Level


Output Fields

Table 1 lists the output fields for the show ipsec certificates command. Output fields are listed in the approximate order in which they appear.

Table 1: show ipsec certificates Output Fields

Field Name

Field Description

Level of Output


Display information about the IPsec certificate database.

  • Total entries—Number of database entries, including entries that are not trusted or that are in the process of being deleted.

  • Active entries—Number of database entries, excluding entries that are marked as deleted.

  • Locked entries—Number of statically configured database entries that cannot expire, such as CA certificates that are root or trusted.

All levels


Distinguished name for the certificate for C, O, CN, as described in RFC 3280, Internet x.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

All levels


Identification number of the database entry. ID is generated by the internal certificate database.

All levels


Reference number the certificate manager has for the particular entry.



Unique serial number assigned to each certificate by the CA.

All levels


State of the certificate.

  • Trusted—Passed validity checks.

  • Not trusted—Failed validity checks.

  • Root—Entry is locked and may have been learned through IKE or a locally configured CA certificate.

  • Non-root—Entry is not locked.

  • Crl-issuer—Entity issues CRLs.

  • Non-crl-issuer—Entity does not issue CRLs.


Validity period starts

Start time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT.


Validity period ends

End time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT.


Alternative name information

Auxiliary identity for the certificate: dns-name, email-address, ip-address, or uri (uniform resource identifier).



Information about the entity that has signed and issued the CRL as described in RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile.


Sample Output

show ipsec certificates detail

Release Information

Command introduced before Junos OS Release 7.4.