Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
keyboard_arrow_right

show security pki ca-certificate (View)

date_range 19-Nov-23

Syntax

content_copy zoom_out_map
show security pki ca-certificate
<brief | detail>
<ca-profile ca-profile-name> 

Description

Display information about the certificate authority (CA) public key infrastructure (PKI) digital certificates configured on the device.

The FIPS image does not permit the use of MD5 fingerprints. Therefore, MD5 fingerprints are not included when a certificate is displayed using this command. The SHA-1 fingerprint that is currently displayed is retained in the FIPS image. The Simple Certificate Enrollment Protocol (SCEP) is disabled in the FIPS image.

Options

  • none—Display basic information about all configured CA certificates.

  • brief | detail—(Optional) Display the specified level of output.

  • ca-profile ca-profile-name-(Optional) Display information about only the specified CA certificate.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security pki ca-certificate command. Output fields are listed in the approximate order in which they appear.

Table 1: show security pki ca-certificate Output Fields

Field Name

Field Description

CA profile

Name of the CA profile in the CA certificate.

Starting in Junos OS Release 21.4R1, you can view this information by executing the show security pki ca-certificate <brief | detail> command.

Certificate identifier

Name of the digital certificate.

Certificate version

Revision number of the digital certificate.

Serial number

Unique serial number of the digital certificate.

Issuer

Authority that issued the digital certificate, including details of the authority organized using the distinguished name format. Possible subfields are:

  • Organization—Organization of origin.

  • Organizational unit—Department within an organization.

  • Country—Country of origin.

  • Locality—Locality of origin.

  • Common name—Name of the authority.

Subject

Details of the digital certificate holder organized using the distinguished name format. Possible subfields are:

  • Organization—Organization of origin.

  • Organizational unit—Department within an organization.

  • Country—Country of origin.

  • Locality—Locality of origin.

  • Common name—Name of the authority.

If the certificate contains multiple subfield entries, all entries are displayed.

Subject string

Subject field as it appears in the certificate.

Validity

Time period when the digital certificate is valid. Values are:

  • Not before—Start time when the digital certificate becomes valid.

  • Not after—End time when the digital certificate becomes invalid.

Public key algorithm

Encryption algorithm used with the private key, such as rsaEncryption(1024 bits).

Signature algorithm

Encryption algorithm that the CA used to sign the digital certificate, such as sha1WithRSAEncryption.

Certificate Policy

Policy Identifier—One or more policy object identifiers (OIDs).

Use for key

Use of the public key, such as Certificate signing, CRL signing, Digital signature, or Data encipherment.

Fingerprint

Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used to identify the digital certificate.

Starting in Junos OS Release 21.4R1, you can also view the SHA256 fingerprint for a local certificate along with SHA1 and MD5 fingerprints.

Distribution CRL

Distinguished name information and the URL for the certificate revocation list (CRL) server.

Sample Output

show security pki ca-certificate (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)

Starting in Junos OS Release 21.4R1, execute the show security pki ca-certificate <ca-profile ca-profile-name> command to view the CA profile name printed in the CA. The CA profile field in the output represents the CA profile name printed in the CA. In this sample, the CA profile name printed in the CA certificate is a Root-CA.

content_copy zoom_out_map
user@host> show security pki ca-certificate ca-profile Root-CA
LSYS: root-logical-system
  CA profile: Root-CA
Certificate identifier: Root-CA
  Issued to: Root-CA, Issued by: C = us, O = juniper, CN = Root-CA
  Validity:
    Not before: 05-19-2021 08:05 UTC
    Not after: 05-17-2031 08:05 UTC
  Public key algorithm: rsaEncryption(2048 bits)
  Keypair Location: Keypair generated locally

show security pki ca-certificate ca-profile detail (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)

Starting in Junos OS Release 21.4R1, execute the show security pki ca-certificate <ca-profile ca-profile-name> detail command to view:

  • the CA profile name printed in the CA. The CA profile field in the output represents the CA profile name printed in the CA. In this sample, the CA profile name printed in the CA certificate is Root-CA.
  • the SHA256 fingerprint for a CA certificate.
content_copy zoom_out_map
user@host> show security pki ca-certificate ca-profile Root-CA detail
LSYS: root-logical-system
  CA profile: Root-CA
Certificate identifier: Root-CA
  Certificate version: 3

  Serial number:
    hexadecimal: 0x00000d87
    decimal: 3463
  Issuer:
    Organization: juniper, Country: us, Common name: Root-CA
  Subject:
    Organization: juniper, Country: us, Common name: Root-CA
  Subject string: 
    C=us, O=juniper, CN=Root-CA
 
  Validity:
    Not before: 05-19-2021 08:05 UTC
    Not after: 05-17-2031 08:05 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:cf:28:0c:04:ae:f0:89:f1:0a:cc:b3
    5a:0a:d9:c7:0a:f3:90:2e:7d:06:73:a4:65:94:3d:53:d4:25:2e:40
    11:98:4e:2f:52:53:1e:b3:69:2b:80:89:2e:b0:17:3a:3d:96:b3:70
    26:f7:da:ae:4e:ba:15:50:db:42:bd:bc:8c:0c:fd:5b:8e:f5:fb:74
    3c:48:8f:ec:c0:6a:5f:46:b3:1f:19:10:10:c4:e2:7e:e7:c5:ed:e1
    ff:64:01:01:f5:69:82:47:7a:2f:4c:6f:52:df:a4:06:fb:f8:ac:04
    3c:46:51:08:b4:5d:71:f3:69:a1:22:cb:53:18:74:bc:bf:4d:6b:4a
    b0:cd:4c:60:38:5f:ec:a8:6d:6c:77:dd:ed:14:a1:5f:c7:84:a7:74
    7a:6c:45:fa:4e:8a:db:8d:6c:ec:6a:25:fa:38:54:97:ac:0e:d0:12
    48:e5:0f:10:b2:3d:b0:de:95:53:d3:c8:a5:dc:6f:ed:f5:7d:49:e3
    b5:68:98:24:a7:8b:5d:a7:e5:98:de:51:b5:20:68:15:22:64:f1:c3
    cc:c4:1a:1a:be:bf:cb:fb:a7:79:92:a8:45:a3:ef:0d:2e:0f:21:f4
    5e:9d:77:1f:32:68:45:e1:93:ab:27:88:a6:c6:b2:81:55:a1:6d:c6
    81:85:1b:7f:61:02:03:01:00:01
  Signature algorithm: sha256WithRSAEncryption
  Distribution CRL: 
    http://10.48.148.132:8080/crl-as-der/currentcrl-11.crl?id=11
  Authority Information Access OCSP: 
    http://10.48.148.132:8090/Root-CA/
  Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
  Fingerprint:
    b4:65:6b:a2:28:01:b1:76:26:8b:8f:4f:53:b9:50:a6:eb:df:39:3a (sha1)
    14:c9:4f:da:96:15:94:6f:fa:5e:fd:60:ce:47:90:97 (md5)
    49:ee:63:56:72:0b:f4:87:08:75:c9:1a:fa:6c:4d:c7:7c:2f:a2:21:31:68:30:67:87:37:cd:c0:86:34:1c:76 (sha256)

Release Information

Command modified in Junos OS Release 8.5.

Subject string output field added in Junos OS Release 12.1X44-D10. Policy identifier output field added in Junos OS Release 12.3X48-D10.

CA profile and (sha256) for Fingerprint output field added in Junos OS Release 21.4R1.

external-footer-nav