Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Appendix B: Administering Common Certificate Authorities

This topic provides some basic concepts and examples of administrative procedures using a Microsoft certificate authority (CA) and an open source CA from OpenSSL. This information may help you to work with the administrator to enroll and use certificates on a Junos OS device.

The choice of CA depends on whether you want a standalone CA solution or will rely on a third party such as Verisign; this topic assumes that you want a standalone server for which you will be the CA administrator.

This topic includes the following sections:

Certificate Authorities Overview

Juniper Networks supports the following vendors of CA:

  • Verisign

  • Entrust

  • Microsoft Win2000 Advanced Server


Although Juniper Networks does not support the Open source code from OpenSSL officially, you can use it with Junos OS if set up properly.

Microsoft Windows 2000 Certificate Authority

The Microsoft CA, provided on Windows 2000 advanced server, provides CA services through a web interface, including support for a CRL Distribution Point (CDP). Microsoft also supports a patch to activate Simple Certificate Enrollment Protocol (SCEP). Microsoft does not support OCSP.

  1. In your Web browser, type the Web address http://<host.domain>/certsrv. where <host.domain> is the IP address of Microsoft CA server.

    The initial welcome page is displayed, as shown in Figure 1.

    Figure 1: Downloading Microsoft CA Certificate—Initial Welcome PageDownloading Microsoft CA Certificate—Initial Welcome Page
  2. Select Retrieve the CA certificate or certificate revocation list and click Next.

    The Retrieve the CA Certificate or Certificate Revocation List page is displayed.

  3. Select the CA you want to use, and then click Download CA certificate, as shown in Figure 2.

    Figure 2: Retrieve the CA Certificate or Certificate Revocation List Retrieve the CA Certificate or Certificate Revocation List

    A pop-up window appears that allows you to choose the location in which to save the certificate. Choose a location on your local file system and save the certificate with a .cer extension (for example, certnew.cer).

  4. Select the Download latest certificate revocation list option on the Retrieve The CA Certificate or Certificate Revocation List page, as shown in Figure 3.

    Figure 3: Download Latest Certificate Revocation ListDownload Latest Certificate Revocation List

    A pop-up window appears that allows you to choose the location in which to save the CRL. Choose a location on your local file system, and save the CRL with a .crl extension (for example, certcrl.crl).

  5. Return to the initial Welcome screen to request a certificate. Select Request a Certificate and click Next, as shown in Figure 4.

    Figure 4: Request CertificateRequest Certificate
  6. On the Choose Request Type page, select the Advanced request option, as shown in Figure 5.

    Figure 5: Select Advanced RequestSelect Advanced Request
  7. On the Advanced Certificate Requests page, select the PKCS #10 option, as shown in Figure 6.

    Figure 6: Advanced Certificate Requests Advanced Certificate Requests
  8. On the Submit a Saved Request page, you can paste a copy of the certificate request into the page, as shown in Figure 7, and click Submit.

    Figure 7: Submit a Saved RequestSubmit a Saved Request

    If the CA setup is configured to issue certificates automatically, then the Certificate Issued window is displayed as shown in Figure 8.

  9. Click Download CA certificate to download your new local certificate, as shown in Figure 8.

    Figure 8: Download New Local CertificateDownload New Local Certificate

    In Figure 8, the downloaded certificate is your local Junos OS device certificate; not a CA certificate, as appears on the screen.

    If the CA is not configured to issue certificates automatically, then you or a CA administrator must manually authorize the certificate request and generate the certificate.

    To retrieve a certificate that an administrator has issued, you can return to the Microsoft CA home page (http://servername/certsrv).

  10. On the Microsoft CA home page, click Check on a Pending Certificate.

    If the certificate has been issued, the Certificate Issued Web page appears. From here you can view the certificates.

  11. Double-click the .cer file, and then click the Details tab to see all the certificate fields and their values, as shown in Figure 9.

    Figure 9: View Certificate DetailsView Certificate Details
  12. On the Details tab, validate the SubjectAlternativeName field for a certificate. Ensure that the SubjectAlternativeName includes the IKE ID types and values that are used in the Junos OS device IKE gateway definition, as shown in Figure 10.

    Figure 10: Validate SubjectAlternativeName ValuesValidate SubjectAlternativeName Values
  13. On the Details tab, you can also check the availability of a CDP. Figure 11 shows the CDP field and value. Ensure that the hostname can be identified and reached by the Junos OS device.

    Figure 11: View CDP Field and ValueView CDP Field and Value
  14. View certificate revocation list (CRL) information on the Certificate Revocation List Information screen, as shown in Figure 12.

    Figure 12: View Certificate Revocation List Information View Certificate Revocation List Information

OpenSSL CA Overview

The OpenSSL code available at provides free and simple command-line functionality to use in certificate authorization applications. GUI or Web interface support is not available in this functionality. All input (for example, p10 certificate requests) and all output (signed certificates and certificate revocation lists [CRLs]) are usually available in Privacy-Enhanced Mail (PEM)-encoded format.

To use OpenSSL, download and install the openssl.exe executable and perform the one-time CA setup. Here is an example using a Windows system:

  1. Create a working directory, and use the cd command to make sure that you are in your home directory.

  2. Copy the openssl.exe and openssl.cfg files to the home directory.

    To view a sample copy of the openssl.cfg file, see OpenSSL.cfg File Sample.

  3. From the working directory, create some additional subdirectories as shown below:

    mkdir demoCA

    mkdir demoCA\private

    openssl req -x509 -newkey rsa:1024 -keyout demoCA\private\key.pem \out demoCA\ca-cert.pem -config openssl.cfg

  4. Download the ca-cert.pem file into the Junos OS device as the certificate authority (CA) certificate.

  5. Set up a "database" for the certificates that will be generated by this CA.

    mkdir demoCA\certstore

    echo 01 > demoCA\

  6. Create a new but empty file called index.txt in the demoCA directory.

    edit demoCA\index.txt

  7. Save and exit the application.

    The CA is now initialized.

This procedure provides information about setting the basic configuration items and certificate request for each Junos OS device that needs a certificate:

  1. When a PKCS10 file is generated, save that certificate request into a file called jsNAME.pkcs10.

  2. Go to the OpenSSL CA's working directory (the parent directory of the demoCA subdirectory created earlier) to sign the certificate request (PKCS10 file) generated by the Junos OS device.

  3. Although the SubjectAlternativeName field information is in the Junos OS device's PKCS10 certificate request, the OpenSSL CA cannot sign it as it is. The OpenSSL server may attempt to strip that part out of the certificate request. To have the certificate populated with a SubjectAlternativeName field, you must edit a setting in the openssl.cfg file itself. However, that file must be modified for every certificate you sign. Use the step below to edit the openssl.cfg file:

    edit openssl.cfg

  4. Search for the SubjectAltName field. Reset the SubjectAltName field to the correct value for the particular Junos OS device certificate you are about to sign. For example:

  5. To create and sign the certificate, issue the command below, assuming

    • The certificate request from the Junos OS device is available in — jsNAME.pkcs10

    • The generated certificate will be stored in jsNAME.cer

    openssl ca -config openssl.cfg -in jsNAME.pkcs10 -out jsNAME.cer

    The Junos OS device's local certificate is now generated as the jsNAME.cer file and can be loaded into the Junos OS device. A copy of this certificate is also created in the demoCA\certstore subdirectory with a name of NN.pem where NN is the serial number of this certificate.


    This certificate is in PEM format. To view the certificate with the Microsoft certificate viewer, the certificate needs to be converted to the DER encoding format by editing the jsNAME.cer file. Delete everything except the ----BEGIN/END certificate--- lines and all the data between those lines. This allows Microsoft Windows to decode the file properly to display its contents. The OpenSSL CLI can also convert the PEM-encoded certificate to DER encoding. See the OpenSSL documentation for details.

To revoke a certificate and generate a new CRL:

  1. Find the serial number of the certificate. For example, to revoke a certificate with serial number 01, use the command below:

    openssl ca -config openssl.cfg -revoke demoCA\certstore\01.pem

  2. If you encounter an error, then you can manually move the file by using the following command:

    mv demoCA\ demoCA\index.txt

  3. Next, generate the new CRL as shown below:

    openssl ca -config openssl.cfg -gencrl -out crl.crl

    The crl.crl file can now be loaded onto the Junos OS device. Load the CA certificate, CRL, and local certificate following the same steps as described in this document.

OpenSSL.cfg File Sample

A sample of an OpenSSL.cfg file is shown below: