show services ipsec-vpn certificates
Syntax
Release Information
Command introduced in Junos OS Release 7.5.
Description
(Adaptive services interfaces only) Display local and remote certificates installed in the IPsec configuration memory cache that are used for the IKE negotiation.
Options
none | — | (same as brief) Display information about local and remote certificates associated with all service sets. |
brief | detail | — | (Optional) Display the specified level of output. |
service-set service-set | — | (Optional) Display information about local and remote certificates associated with only the specified service set. |
Required Privilege Level
view
List of Sample Output
show security ipsec-vpn certificatesshow security ipsec-vpn certificates detail
Output Fields
Table 1 lists the output fields for the show services ipsec-vpn certificates command. Output fields are listed in the approximate order in which they appear.
Table 1: show services ipsec-vpn certificates Output Fields
Field Name | Field Description | Level of Output |
|---|---|---|
Service set | Name of the IPsec service set. | All levels |
Total entries | Number of certificate cache entries. | All levels |
Certificate cache entry | Identification number of the certificate cache entry. | All levels |
Flags | Information about the digital certificate, including whether the certificate is a root certificate and trusted. | none brief |
Issued to | Device that was issued the digital certificate. | none brief |
Issued by | Authority that issued the digital certificate. | none brief |
Certificate version | Revision number of the digital certificate. | detail |
Serial number | Unique serial number of the digital certificate. | detail |
Alternate subject | Domain name or IP address of the device related to the digital certificate. | All levels |
Validity | Time period when the digital certificate is valid. Values are:
| none brief |
Public key algorithm | Specifies the encryption algorithm used with the private key, such as rsaEncryption (1024 bits). | detail |
Signature algorithm | Encryption algorithm that the CA used to sign the digital certificate, such as sha1WithRSAEncryption. | detail |
Fingerprint | Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used to identify the digital certificate. | detail |
Distribution CRL | Distinguished name information and the URL for the certificate revocation list (CRL) server. | detail |
Use for key | Use of the public key, such as Certificate signing, CRL signing, Digital signature, or Key encipherment. | detail |
Sample Output
show security ipsec-vpn certificates
user@host> show services ipsec-vpn certificates Service set: serviceset-dynamic-BiEspsha3des, Total entries: 3
Certificate cache entry: 3
Flags: Non-root Trusted
Issued to: router3.juniper.net, Issued by: juniper
Alternate subject: router3.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Certificate cache entry: 2
Flags: Non-root Trusted
Issued to: router2.juniper.net, Issued by: juniper
Alternate subject: router2.juniper.net
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Certificate cache entry: 1
Flags: Root Trusted
Issued to: juniper, Issued by: juniper
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT
show security ipsec-vpn certificates detail
user@host> show services ipsec-vpn certificates
detail Service set: serviceset-dynamic-BiEspsha3des, Total entries: 3
Certificate cache entry: 3
Certificate version: 3
Serial number: 4355 94f9
Alternate subject: router3.juniper.net
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
61:3a:d0:b4:7a:16:9b:39:ba:81:3f:9d:ab:34:e5:c8:be:3b:a1:6d (sha1)
60:a0:ff:58:05:4a:65:73:9d:74:3a:e1:83:6f:1b:c8 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature
Certificate cache entry: 2
Certificate version: 3
Serial number: 4355 94f8
Alternate subject: router2.juniper.net
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
30:c3:a4:04:da:33:9d:60:23:5a:48:75:48:2c:f0:c6:96:6c:31:fa (sha1)
9a:a2:ce:ef:7e:10:80:a0:c8:4d:2f:e7:e1:d3:69:9d (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature
Certificate cache entry: 1
Certificate version: 3
Flags: Root
Serial number: 4355 9235
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1)
71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: CRL signing, Certificate signing
