Appendix A: Frequently Asked Questions
Does Juniper Networks provide a CA with its products?
No. If you want to use a public key infrastructure (PKI), you must obtain third party certificate authority (CA) software to implement the PKI or use a service such as Verisign.
What version of X.509 certificates are supported (V1 or V3)?
Juniper Networks support both versions of X.509 certificates. However, you must use V3 if you want to use the
SubjectAlternativeName
extension field for a non-DN (distinguished name) Internet Key Exchange (IKE) ID type (for example, IP address, e-mail address, or fully qualified domain name [FQDN]).Does the Junos OS device support multiple certificates?
Yes, the Junos OS device can generate multiple key pairs, and multiple certificate requests, and have multiple local certificates loaded. The specific quantity of certificates depends on the particular platform.
Can the Junos OS device use the same DN for different local certificates?
The Junos OS device does not support multiple certificates with the same subject (or DN) name on a single Junos OS device. Therefore, we recommend using a separate subject name for every key pair to avoid confusion. Some CAs also have limitations on supporting multiple key pairs for the same subject name.
Can the Junos OS device auto-generate common name (CN) field values such as an FQDN and serial number in the DN?
The Junos OS device does not auto-generate CN values such as an FQDN and serial number. The FQDN or any other CN values must be specified during the certificate request procedure.
Does the Junos OS device support a hierarchical certificate authority (CA) chain?
No.
Does Juniper Networks support PKCS10 for certificate requests?
Yes, PKCS10 certificate requests can be generated by the Junos OS device. These certificate requests can be copied using the command-line interface (CLI), sent through e-mail, or uploaded to an FTP server.
Does Juniper Networks support PKCS12 certificate packages?
No, the Junos OS device does not accept a PKCS12 file. The Junos OS device must generate its own private key. Also, a Junos OS device does not generate a PKCS12 file for exporting its private/public keys and certificate. This approach provides more protection and reduces the possibility that someone could steal a device keys and thereby impersonate that device.
Does the private key ever leave the Junos OS device?
No, but in future Junos OS Releases, the private key may be copied from the active to the backup unit of a device if that device is part of chassis clustering or a Junos OS Services Redundancy Protocol (JSRP) pair as an RTO (run-time object).
What special characters should I avoid?
Junos OS supports printable strings such as the comma for delimiters. Reserved characters cannot be used. Also, names with an underscore (_) can potentially cause problems.
What RFC does Juniper Networks support for public key infrastructure (PKI)?
Juniper Networks supports RFC3280. Junos OS also has all the required security features of RFC2459 (the predecessor of RFC3280).
What are the PKI objects stored in flash and run-time memory?
Certificate authority (CA) certificate, CA certificate revocation list (CRL), CA profile configuration, local key pair, and local certificate or pending certificate.
How are these PKI objects related?
Each CA certificate typically uses three objects (CA certificate, CRL, and CA profile configuration). Each local certificate uses two objects (certificate and key pair). A pending certificate is a PKCS10 file that has been generated and sent to a CA. When the signed certificate from the CA is installed the pending certificate object is replaced with the local certificate.
What are average sizes for PKI objects?
Average sizes of items:
CRLs vary, depending on how many certificates a particular CA has revoked: minimum of 300 bytes to a maximum of 5MB.
Certificates average 2K bytes each.
Key pairs average 1K bytes each.
CA profile configurations average 500 bytes each.
What is the maximum size of a CRL?
The maximum size supported in Junos OS Release 8.5 is 5 MB.
How do you disable CRL checking?
CRL checking is configurable per CA profile.
The command syntax for disabling CRL checking is –
set security pki caprofile ca-profile revocation-check disable
followed bycommit
.Why does the Junos OS device not use or support two sets of keys for a virtual private network (VPN)?
In general, when setting up a PKI for e-mail and file encryption and signing, you should use two sets of keys. While you certainly want two sets of keys when encrypting e-mails and files (one set for signing and one set for encryption) you do not need two sets for the VPN. RSA keys are used only for authentication in IPsec. So you do not need the second set of keys for things like long-term storage of encrypted material.
Does Juniper Networks support CA cross-certification? In other words, if one Junos OS device uses a certificate from one root CA, and another Junos OS device uses a certificate from a different root CA, are they cross certified? Can these two certificates validate each other's certificates and form the VPN tunnel properly?
Yes, it can be done by using the PKCS7 certificate type. Using cross-certification, you can form a full certificate path to the root certificate stored locally.
Which certificate formats does Junos OS support?
Junos OS follows the PKI profile described in RFC 3280 and supports:
Installation of end-entity (EE) or CA certificate
Encode, including the X.509 or PKCS7, DER or PEM
Compatibility with X.509 v3 and handling of extensions defined in RFC3280.
Does Junos OS support chassis clustering (high availability) for PKI certificates?
Junos OS Release 8.5 does not support high availability (HA) or JSRP with PKI. Future releases may support the transferring of a device key pair and local certificates between two HA peers. Check release notes for upcoming releases to see whether this is supported in releases later than 8.5.
How is the public key of a key pair bound to a certificate request?
When generating a new key pair, a certificate-ID must be specified. This certificate-ID is also used for the certificate request and again when the local certificate is loaded. To completely delete a certificate request and key pair, use the
clear security pki
operational mode command. Two clear operations are needed: one to clear the certificate request and another to clear the key pair.When deleting a certificate request and key pair, why does the software not delete both the certificate and the key pair at the same time?
Some administrators prefer the ability to keep the same key pair and use a new certificate with them. This allows deletion of the old certificate without destroying the old key pair.
Does Junos OS support Digital Signature Algorithm (DSA) keys?
No, only RSA keys are supported.
Is Junos OS ICSA certified?
No. However, Juniper Networks ScreenOS products are certified for version 1.2.
For more information regarding ICSA certification, see the ICSA Labs website at http://www.icsalabs.com/.
Is OCSP supported for revocation checking?
No.
Are there special characters to consider when doing PKI?
Yes, the comma (,) is a special character in ASN.1 DN.
The UTF-8 encoded string should not have any of the following characters:
A space or pound (#) character occurring at the beginning of the string
A space character occurring at the end of the string
The comma (,), plus (+), double quote(""), backslash (\), less than or left triangle bracket (<), greater than or right triangle bracket (>), or semi-colon (;)
I want my CRL Distribution Point (CDP) function to communicate through a VPN tunnel. How do I set that up so the Junos OS device will source the IP from an internal interface that matches a tunnel definition and not source the packet from the egress (outgoing) interface which does not match a tunnel policy (even though that interface is the tunnel endpoint/gateway IP itself)?
This is not supported in Junos OS.