Update a Certificate
Read this topic to understand and configure dynamic update of default trusted CA certificates on your Junos OS devices.
Dynamic Update of Trusted CA Certificates
A Junos OS device provides a list of default trusted CA certificates. The Junos OS device manages these certificates dynamically. You can also create a custom list of trusted CA certificates and load CA certificates into the device. But you must manage the custom trusted CA certificates manually. This section focuses on dynamic management of default trusted CA certificates.
With dynamic update of default trusted CA bundle,
-
Removal of a CA in the event of compromise is taken care of automatically.
-
Addition of new CA to the default trusted CA bundle is immediate without having to wait for the new Junos OS release.
Processes Involved in Dynamic Update of Trusted CA Bundle
Dynamic update of default trusted CA bundle involves the following processes:-
-
The Juniper CDN server (http://signatures.juniper.net/cacert) hosts the default trusted CA certificates.
-
The server hosts a signed copy of the target file and the manifest file along with the EE certificate to verify the signed copy of these files. The target file contains a list of default trusted CA certificates (
default-trusted-ca-certs). The manifest file contains the revision number and date of the default trusted CA bundle. -
Junos OS devices automatically downloads the trusted CA bundles by default. You can either use default or non-default routing instance to connect to the Internet to download and update the default trusted CA certificates.
-
The PKI process using the PKID securely downloads the default trusted CA bundle (
default-trusted-ca-certs) from the CDN server into the device.The dynamic update of trusted CA certificates does not make any changes to the previously loaded
ca-profile-group, manually added CA certificates, and certificates that are part of other trusted groups. -
Once you issue the
ca-profile-grouploadcommand, the PKI process loads the default trusted CA certificates in the background, unblocking the CLI, enabling you to proceed with other tasks. -
If there is no
ca-profile-groupassociated withdefault-trusted-ca-certs, with each periodic polling, PKI still downloads the latest copy of trusted CA bundle to the device. -
If a CA certificate is deleted from the default trusted CA list, the PKI process ensures all references to the CA certificate are removed. If any references are present in the
trusted-ca-group, the PKI process only holds the references toca-profilenames with actual CA certificates already deleted. See Configuring Dynamic Updated of Trusted CA Certificates. -
By default, the PKI process polls the CDN server every 24 hours for the latest default trusted CA bundle and updates the list for any changes to the trusted CAs in the bundle. If there are any changes, the PKI process loads them in the background. You can optionally change the polling duration and also disable this auto-update process. See Configuring Dynamic Updated of Trusted CA Certificates.
Configure Dynamic Update of Trusted CA Certificates
Prerequisites
Before you configure the dynamic update of default trusted CA certificates, ensure you meet the following prerequisites:
-
Basic configuration of the Junos OS device is completed.
-
Your Junos OS device is reachable to the Juniper CDN server. You can use nondefault routing instance as well to connect to Internet to download the default trusted CA certificates. Ensure that you configure the nondefault routing instance before you configure the dynamic update of trusted CA certificates. Contact Juniper sales for Juniper CDN server details.
- For custom CDN server, ensure you have the latest CA certificates and the URL. The configuration of the custom CDN server is out of scope of this topic.
Based on your requirements, navigate to the following tasks to configure the dynamic update of the default trusted CA bundle.
- Check Connectivity to the CDN Server
- Enable Automatic Download of Default Trusted CA Certificates
- Download Default Trusted CA Certificates Automatically Pls try to shorten the title- yes, updated
- Download Default Trusted CA Certificates ManuallyDownload Default Trusted CA Certificates Manually
- Check the Download Status of Default Trusted CA Certificates
- Deactivate Automatic Download of Trusted CA Certificates
Check Connectivity to the CDN Server
Overview
Use the following command to check connectivity to the CDN server to download the default trusted CA certificates. This command downloads the manifest file and displays the trusted-ca-bundle version available in the CDN server.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs for details about the command.
Configuration
-
To check connectivity to the CDN server from the operational mode of the Junos OS device, issue the following command.
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download check-server
Enable Automatic Download of Default Trusted CA Certificates
Overview
Juniper Networks regularly updates the default trusted CA certificates on the Juniper CDN server and you can download the certificates on the Junos OS device. Automatic download of default trusted CA certificates is enabled by default on the Junos OS device. You can customize the configuration and load the latest default trusted CA certificates at specified intervals. The default periodicity is 24 hours when you don’t specify a value. When you use the default Juniper CDN Server (http://signatures.juniper.net/cacert), no separate configuration is needed.
This example shows how to enable automatic download of default trusted CA certificates on a Junos OS device using default configuration settings. See default-trusted-ca-certs (Security) for details about the configuration statement. Downloaded default trusted CA certificates automatically load in the background using the statement request security pki ca-certificate ca-profile-group load command. You don't have to explicitly run this command to load the certificates.
Configuration
As automatic download of default trusted CA certificates is enabled by default, no separate configuration is needed.
Download Default Trusted CA Certificates Automatically
- Overview
- ConfigurationThe title and the subsection are the same. Use the tags used in the above topic to avoid repetition.
Overview
In this example, you provide following custom configuration while enabling the automatic download of custom CA certificates:-
-
Configure the Junos OS device to download and install the default trusted CA certificates every 48 hours.
-
Specify the custom CDN server reachable through the URL signatures.example.net.
-
Specify the nondefault routing instance to reach the CDN server.
See default-trusted-ca-certs (Security) for details about the configuration statement.
Configuration
Configuration
-
Set the periodicity of download and load operations to 48 hours. The CLI automatically loads the certificates into the Junos OS device.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download interval hours 48
-
Specify the custom URL.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download url signatures.example.net
-
Specify the routing instance.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download routing-instance RI1
-
Commit the configuration.
[edit] user@host# commit
Download Default Trusted CA Certificates Manually
Overview
Use the following command to manually download default trusted CA certificates to the Junos OS device from the CDN server. This command is in addition to the automatic download of the default trusted CA certificates at regular intervals.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs for details about the command.
Configuration
Configuration
-
To explicitly download the default trusted CA certificates from the operational mode of the Junos OS device, issue the following command.
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download
Check the Download Status of Default Trusted CA Certificates
Overview
Use the following commands to check the download status of default trusted CA certificates on the Junos OS device from the CDN server. These commands display the version number and version date. You can use them to check the previous downloaded version and date.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs for details about the command.
Configuration
Configuration
-
To check the version number and version date available on the Junos OS device, issue the following command.
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download status
Use the following command to load default trusted CA certificates:
user@host> request security pki ca-certificate ca-profile-group load ca-group-name default-trusted-ca-certs filename default
Deactivate Automatic Download of Trusted CA Certificates
Overview
Automatic download is enabled by default. This example shows how to deactivate the automatic download of default trusted CA certificates, although we don't recommend doing it.
See default-trusted-ca-certs (Security) for details about the configuration statement.
Configuration
Configuration
-
To deactivate automatic download of default trusted CA certificates, use the following command.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download deactivate
-
Commit the configuration.
[edit] user@host# commit