PKI in Junos OS

PKI Applications Overview

Junos OS uses public and private keys in the following areas:

• SSH and SCP for secure CLI-based administration

• SSL for secure Web-based administration and for https-based webauth for user authentication

• IKE for IPsec VPN tunnels.

Note the following points:

• Currently, Junos OS supports only IKE using PKI certificates for public key validation.

• The SSH and SCP are used exclusively for system administration. Junos OS uses the OOB fingerprints for public key identity binding and validation.

Basic Elements of PKI in Junos OS

Junos OS supports three specific types of PKI objects.

Table 1: Elements of PKI in Junos OS

Elements of PKI	Description
Private and public keypair	A private and public key pair is a fundamental component used for secure communication. Public Key: The public key is used to encrypt data. It is published and can be shared with others without compromising security. Data encrypted with the public key can only be decrypted using the corresponding private key. Private Key: The private key is used to decrypt data that was encrypted with the public key. It is kept secret and should not be shared with anyone. By using the private and public key pairs, Juniper Networks devices can establish secure connections and protect data transferred over public networks.
Certificates	Local certificate—The local certificate contains the public key and identity information for the Juniper Networks device. The Juniper Networks device owns the associated private key. This certificate is generated based on a certificate request from the device. Pending certificate—A pending certificate contains a keypair and identity information that is generated into a PKCS10 certificate request and manually sent to a CA. While the Juniper Networks device waits for the certificate from the CA, the existing object (keypair and the certificate request) is tagged as a certificate request or pending certificate. CA certificate—When the certificate is issued by the CA and loaded into the Junos OS device, the pending certificate is replaced by the newly generated local certificate. All other certificates loaded into the device are considered CA certificates.
Certificate Revocation List (CRL)	A CRL in PKI is a time-stamped list of digital certificates that have been revoked by a CA. This list is signed by the CA and made available to participating peers on a regular periodic basis. In Junos OS, you can configure CRLs to ensure that certificates are not used if they have been revoked.

Certificates

Note the following points about certificates:

• Local certificates are generally used when a Junos OS device has VPNs in more than one administrative domain.

• All PKI objects are stored in a separate partition of persistent memory, apart from the Junos OS image and the system’s general configuration.

• Each PKI object has a unique name or certificate ID given to it when it is created and maintains this ID until its deletion. You can view the certificate ID by using the show security pki local-certificate command.

• A certificate cannot be copied from a device under most circumstances. The private key on a device must be generated on that device only, and it should never be viewed or saved from that device. So PKCS12 files (which contain a certificate with the public key and the associated private key) are not supported on Junos OS devices.

• CA certificates validate the certificates received by the IKE peer. If the certificate is valid, then it is verified in the CRL to see whether the certificate has been revoked.

  Each CA certificate includes a CA profile configuration that stores the following information:

  • CA identity, which is typically the domain name of the CA

  • E-mail address for sending the certificate requests directly to the CA

  • Revocation settings:

    • Revocation checks enable and disable option

    • Disabling of revocation check in case of CRL download failure

    • Location of CRL distribution point (CDP) (for manual URL setting)

    • CRL refresh interval