Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Certificate Authority

Understand how to manage CA.

A CA profile defines every parameter associated with a specific certificate to establish secure connection between two endpoints. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access.

Certificate Authority Profiles

A CA profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one, then create a new CA profile (for example, Microsoft-2008).

Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.

The PKI module supports IPv6 address format to enable the use of SRX Series Firewalls in networks where IPv6 is the only protocol used.

A CA issues digital certificates, which helps to establish secure connection between two endpoints through certificate validation. You can group multiple CA profiles in one trusted CA group for a given topology. These certificates are used to establish a connection between two endpoints. To establish IKE or IPsec, both the endpoints must trust the same CA. If either of the endpoints are unable to validate the certificate using their respective trusted CA (ca-profile) or trusted CA group, the connection is not established. A minimum of one CA profile is mandatory to create a trusted CA group and maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular endpoint.

Starting with Junos OS Release 18.1R1, you can validate a configured IKE peer with a specified CA server or group of CA servers. You can create a group of trusted CA servers with the trusted-ca-group configuration statement at the [edit security pki] hierarchy level; you can specify one or multiple CA profile. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

If you configure the proxy profile in the CA profile, the device connects to the proxy host instead of the CA server during certificate enrollment, verification, or revocation. The proxy host communicates with the CA server with the requests from the device, and then relays the response to the device.

CA proxy profile supports SCEP, CMPv2, and OCSP protocols.

CA proxy profile is supported only on HTTP and not on HTTPS protocol.

Configure CA Profiles

A CA profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create CA profile (for example, Microsoft-2008). You can group multiple CA profiles in one trusted CA group for a given topology.

In the following example, you create a CA profile called ca-profile-security with CA identity microsoft-2008. You then create proxy profile to the CA profile.

  1. From the configuration mode, configure the CA profile used for loading the certificate.

    Example:

  2. Commit the configuration.
  3. From the operational mode, load the certificate using PKI commands.

    Example:

  4. From the configuration mode, disable the revocation check (if required).

    Example:

  5. From the configuration mode, configure the loaded certificate as a trusted CA in the SSL proxy profile. You can configure more than one trusted CA for a profile.

    Example:

  6. (Optional) If you have multiple trusted CA certificates, you do not have to specify each trusted CA separately. You can load all the trusted CA certificates using the following command from configuration mode. Alternatively, you can import a set of trusted CAs from your browser into the SRX Series Firewall.

Configure a Trusted CA Group

This section describes the procedure to create a trusted CA group for a list of CA profiles and delete a trusted CA group.

Create a Trusted CA Group

You can configure and assign a trusted CA group to authorize an entity. When a peer tries to establish a connection with a client, only the certificate issued by that particular trusted CA of that entity gets validated. The device validates if the issuer of the certificate and the one presenting the certificate belong to the same client network. If the issuer and the presenter belong to the same client network, then the connection is established. If not, the connection will not be established.

Before you begin, you must have a list of all the CA profiles you want to add to the trusted group.

In this example, we are creating three CA profiles named orgA-ca-profile, orgB-ca-profile, and orgC-ca-profile and associating the following CA identifiers ca-profile1, ca-profile2, and ca-profile3 for the respective profiles. You can group all the three CA profiles to belong to a trusted CA group orgABC-trusted-ca-group.

You can configure a maximum of 20 CA profiles for a trusted CA group.

  1. Create CA profiles and associate CA identifiers to the profile.
  2. Group the CA profiles under a trusted CA group.
  3. Commit the configuration when you are done configuring the CA profiles and the trusted CA groups.

To view the CA profiles and the trusted CA groups configured on your device, run show security pki command.

The show security pki command displays all the CA profiles that are grouped under the orgABC_trusted-ca-group.

Delete a CA Profile from a Trusted CA Group

You can delete a specific CA profile in a trusted CA group.

For example, if you want to delete a CA profile named orgC-ca-profile from a trusted CA group orgABC-trusted-ca-group configured on your device as shown in Configure a Trusted CA Group topic:

  1. Delete a CA profile from the trusted CA group.
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.

To view the orgC-ca-profile being deleted from the orgABC-trusted-ca-group , run the show security pki command.

The output does not display the orgC-ca-profile profile as it is deleted from the trusted CA group.

Delete a Trusted CA Group

An entity can support many trusted CA groups and you can delete any trusted CA group for an entity.

For example, if you want to delete a trusted CA group named orgABC-trusted-ca-group, configured on your device as shown in Configure a Trusted CA Group topic perform the following steps:

  1. Delete a trusted CA group.
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.

To view the orgABC-trusted-ca-group being deleted from the entity, run the show security pki command.

The output does not display the orgABC-trusted-ca-group as it is deleted from the entity.

Example: Configure a CA Profile

This example shows how to configure a CA profile.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you create a CA profile called ca-profile-ipsec with CA identity microsoft-2008. You then create proxy profile to the CA profile. The configuration specifies that the CRL be refreshed every 48 hours, and the location to retrieve the CRL is http://www.my-ca.com. Within the example, you set the enrollment retry value to 20. (The default retries value is 10.)

Automatic certificate polling is set to every 30 minutes. If you configure, retry only without configuring a retry interval, then the default retry interval is 900 seconds (or 15 minutes). If you do not configure retry or a retry interval, then there is no polling.

Configuration

Procedure

Step-by-Step Procedure

To configure a CA profile:

  1. Create a CA profile.

  2. Optionally, configure the proxy profile to the CA profile.

    PKI uses proxy profile configured at the system-level. You must configure the proxy profile being used in the CA profile at the [edit services proxy] hierarchy. You can configure more than one proxy profile under the [edit services proxy] hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure the host and port of the proxy profile at the [edit system services proxy] hierarchy.

  3. Create a revocation check to specify a method for checking certificate revocation.

  4. Set the refresh interval, in hours, to specify the frequency in which to update the CRL. The default values are next-update time in CRL, or 1 week, if no next-update time is specified.

  5. Specify the enrollment retry value.

  6. Specify the time interval in seconds between attempts to automatically enroll the CA certificate online.

  7. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security pki command.

Example: Configure an IPv6 Address as the Source Address for a CA Profile

This example shows how to configure an IPv6 address as the source address for a CA profile.

No special configuration beyond device initialization is required before configuring this feature.

In this example, create a CA profile called orgA-ca-profile with CA identity v6-ca and set the source address of the CA profile to be an IPv6 address, such as 2001:db8:0:f101::1. You can configure the enrollment URL to accept an IPv6 address http://[2002:db8:0:f101::1]:/.../.

  1. Create a CA profile.
  2. Configure the source address of the CA profile to be an IPv6 address.
  3. Specify the enrollment parameters for the CA.
  4. If you are done configuring the device, commit the configuration.