Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

certificate

Syntax

Hierarchy Level

Description

Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient.

Options

local-certificate certificate-id—Specifies one local certificate or a list of multiple local certificates (up to 20) to be used for IKE authentication when multiple certificates are installed on the device. You can use multiple local certificates only with iked process. If the device supports only a single certificate, running the command again overwrites the existing local certificate. If the device supports multiple local certificates, running the command again adds the certificate to the list. Deleting a certificate from the list terminates any existing IKE connection that uses that certificate. The device then establishes new security associations (SAs) using the updated list. The certificate identifier must not include any of the following characters:

  • period (.)

  • forward slash (/)

  • percent sign (%)

  • space ( )

peer-certificate-type—Specifies a preferred type of certificate (Public Key Cryptography Standard #7 or X509).

  • pkcs7—PKCS7.

  • x509-signature—X509 is an ITU-T standard for public key infrastructure (PKI). This is the default value.

policy-oids oid—Configures policy object identifiers (OIDs). This configuration is optional. Policy OIDs are values included in a peer’s certificate or certificate chain. You can configure up to five policy OIDs, and each OID can be up to 63 bytes in length. You must ensure that at least one of the configured policy OIDs is included in a peer’s certificate or certificate chain. Note that the policy-oids field in a peer’s certificate is optional. If you configure policy OIDs in an IKE policy and the peer’s certificate chain does not contain any policy OIDs, certificate validation for the peer fails.

trusted-ca—Specifies a name for the trusted CA group. At least one CA profile is required to create a trusted CA group. A trusted CA group can contain a maximum of 20 CA profiles. Any CA from a particular group can validate the certificate for a given entity. When requesting a certificate from a peer, specify the preferred CA. You can associate an IKE policy to a single trusted CA profile or a trusted CA group. During certificate validation, the IKE policy will limit itself to the configured group of CAs when establishing a secure connection. Any certificate issued other than the single trusted CA or the trusted CA group is not validated.

  • ca-profile ca-profile-name—Specifies a name for the CA profiles. A CA is an entity that issues digital certificates, which help establish secure connection between peers through certificate validation.

  • trusted-ca-group trusted-ca-group-name—Specifies a name for the trusted CA group. At least one CA profile is required to create a trusted CA group. A trusted CA group can contain a maximum of 20 CA profiles. Any CA from a particular group can validate the certificate for a given topology.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. policy-oids option added in Junos OS Release 12.3X48-D10.

Support for trusted-ca option added in Junos OS Release 18.1R1.

Commit check added to prevent specified characters at local-certificate certificate-id in Junos OS Release 19.1R1.

Support for certificate validation using trusted-ca-group in the iked process added in Junos OS Release 26.2R1.

Support for list of multiple local-certificate added in Junos OS Release 26.2R1.