Example: Configuring a Certificate Authority Profile (CLI)
To configure a CA profile:
- Create a CA profile. For example, the following command
creates a CA profile called ca-profile-ipsec with CA identity microsoft-2008, specifies that the CRL be refreshed every 48
hours, and indicates the location to retrieve the CRL from is http://www.my-ca.com:user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl refresh-interval 48 url http://www.my-ca.com
- Specify the number of times a device resends a certificate
request for online enrollment when attempts to enroll in Step 1 fail.
For example, the following command sets the enrollment retry to 20
times:user@host# set security pki ca-profile ca-profile-ipsec enrollment retry 20
The default value for retry is 10.
- Specify the time interval in seconds between attempts
to automatically enroll the CA certificate online. For example, the
following command specifies automatic certificate polling every 30
minutes:user@host# set security pki ca-profile ca-profile-ipsec enrollment retry-interval 1800
If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (15 minutes). If you do not configure retry or a retry interval, then there is no polling.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Example: Generating a Public-Private Key Pair (CLI)
- Enrolling a CA Certificate Online (CLI Procedure)
- Example: Enrolling a Local Certificate Online (CLI)
- Understanding Certificate Authority Profiles
- Deleting Certificates (CLI Procedure)