show ipsec certificates
Syntax
show ipsec certificates <brief | detail> <crl crl-name | serial-number>
Description
(Encryption interface on M Series and T Series routers only) Display information about the IPsec certificate database.
Options
| none | Display standard information about all of the entries in the IPsec certificate database. |
| brief | detail | (Optional) Display the specified level of output. |
| crl crl-name | serial-number | (Optional) Display information about the entries on the certificate revocation list (CRL) or for the specified serial number. A CRL is a timestamped list identifying revoked certificates. The CRL is signed by a certificate authority (CA) or CRL issuer and made freely available in a public repository. Each revoked certificate is identified in a CRL by its certificate serial number. |
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show ipsec certificates command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
Level of Output |
|---|---|---|
Database |
Display information about the IPsec certificate database.
|
All levels |
Subject |
Distinguished name for the certificate for C, O, CN, as described in RFC 3280, Internet x.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. |
All levels |
ID |
Identification number of the database entry. ID is generated by the internal certificate database. |
All levels |
References |
Reference number the certificate manager has for the particular entry. |
detail |
Serial |
Unique serial number assigned to each certificate by the CA. |
All levels |
Flags |
State of the certificate.
|
detail |
Validity period starts |
Start time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT. |
detail |
Validity period ends |
End time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT. |
detail |
Alternative name information |
Auxiliary identity for the certificate: dns-name, email-address, ip-address, or uri (uniform resource identifier). |
detail |
Issuer |
Information about the entity that has signed and issued the CRL as described in RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile. |
detail |
Sample Output
show ipsec certificates detail
user@host> show ipsec certificates detail
Database: Total entries: 3 Active entries: 4 Locked entries: 1
Subject: C=us, O=x
ID: 5, References: 0, Serial: 22314868
Flags: Trusted Non-root Crl-issuer
Validity period starts: 2003 Mar 1st, 01:20:42 GMT
Validity period ends: 2003 Mar 31st, 01:50:42 GMT
Alternative name information:
IP address: 10.20.210.1
Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2
Subject: C=us, O=x
ID: 4, References: 0, Serial: 22315496
Flags: Trusted Non-root Crl-issuer
Validity period starts: 2003 Mar 1st, 01:21:45 GMT
Validity period ends: 2003 Mar 31st, 01:51:45 GMT
Alternative name information:
IP address: 10.20.210.20
Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2
Subject: C=FI, O=SSH Company-ABC, CN=Company ABC class 2
ID: 1, References: 1, Serial: 1538512
Flags: Trusted Root Non-crl-issuer
Validity period starts: 2001 Aug 1st, 07:08:32 GMT
Validity period ends: 2004 Aug 1st, 07:08:32 GMT
Alternative name information:
Email address: certifier-support@ssh.com
Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2
Release Information
Command introduced before Junos OS Release 7.4.