Example: Enrolling a Local Certificate Online (CLI)

With SCEP, you can configure your Juniper Networks device to obtain a local certificate online and start the online enrollment for the specified certificate ID.

Before you begin:

1. Generate a public and private key pair. See Example: Generating a Public-Private Key Pair (CLI).
2. Configure a certificate authority (CA) profile. See Example: Configuring a Certificate Authority Profile (CLI).
3. Enroll a CA certificate. See Enrolling a CA Certificate Online (CLI Procedure)

To configure the device for online enrollment:

1. Specify the CA profile—for example, wincs-5—and specify the CA location for your device to send the SCEP-based certificate enrollment requests. To specify the CA location by naming the CA URL, include the url statement. For example:
   user@host# set security pki ca-profile wincs-5 enrollment url http://10.155.8.1/certsrv/mscep/mscep.dll
2. Use the request security pki local-certificate enroll command to start the online enrollment for the specified certificate ID. You must specify the CA profile name (for example, wincs-5), the certificate ID (for example, qqq), and the following information:

   Note: SCEP sends a PKCS #10 format certificate request enveloped in PKCS #7 format.

   • Specify the challenge CA password for certificate enrollment and revocation—for example, aaa. If the CA does not provide the challenge password, then choose your own password.
   • Specify at least one of the following values:
     • Enter the domain name to identify the certificate owner in Internet Key Exchange (IKE) negotiations—for example, qqq.juniper.net.
     • Specify the identity of the certificate owner for IKE negotiation with the e-mail statement—for example, qqq@juniper.net.
     • Enter an IP address if the device is configured for a static IP address—for example, 10.10.10.10.
   • Specify the subject name in the distinguished name format in quotation marks, including the domain component (DC), common name (CN), organizational unit name (OU), organization name (O), locality (L), state (ST), and country (C).

     For example:

     
     

     user@host> request security pki local-certificate enroll ca-profile wincs-5 certificate-id qqq challenge-password aaa domain-name qqq.juniper.net email qqq@juniper.net ip-address 10.10.10.10 subject DC=juniper, CN=router3, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us

   The device certificate is obtained and the online enrollment begins for the certificate ID. The command is processed asynchronously.

The device certificate is obtained and the online enrollment begins for the certificate ID. The command is processed asynchronously.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding Online CA Certificate Enrollment
• Digital Certificates Configuration Overview
• Example: Generating a Local Certificate Request Manually (CLI)
• Example: Loading CA and Local Certificates Manually (CLI)
• Example: Verifying Certificate Validity (CLI)