show security pki ca-certificate (View)
Syntax
show security pki ca-certificate <brief|detail> <ca-profileca-profile-name>
Description
Display information about the certificate authority (CA) public key infrastructure (PKI) digital certificates configured on the device.
The FIPS image does not permit the use of MD5 fingerprints. Therefore, MD5 fingerprints are not included when a certificate is displayed using this command. The SHA-1 fingerprint that is currently displayed is retained in the FIPS image. The Simple Certificate Enrollment Protocol (SCEP) is disabled in the FIPS image.
Options
-
none—Display basic information about all configured CA certificates.
-
brief|detail—(Optional) Display the specified level of output. -
ca-profileca-profile-name-(Optional) Display information about only the specified CA certificate.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the
show security pki ca-certificate command. Output fields are listed in the
approximate order in which they appear.
|
Field Name |
Field Description |
|---|---|
|
|
Name of the CA profile in the CA certificate. Starting in Junos OS Release 21.4R1, you can view this information by executing
the |
|
|
Name of the digital certificate. |
|
|
Revision number of the digital certificate. |
|
|
Unique serial number of the digital certificate. |
|
|
Authority that issued the digital certificate, including details of the authority organized using the distinguished name format. Possible subfields are:
|
|
|
Details of the digital certificate holder organized using the distinguished name format. Possible subfields are:
If the certificate contains multiple subfield entries, all entries are displayed. |
|
|
Subject field as it appears in the certificate. |
|
|
Time period when the digital certificate is valid. Values are:
|
|
|
Encryption algorithm used with the private key, such as
|
|
|
Encryption algorithm that the CA used to sign the digital certificate, such as
|
|
|
|
|
|
Use of the public key, such as |
|
|
Secure Hash Algorithm ( Starting in Junos OS Release 21.4R1, you can also view the
|
|
|
Distinguished name information and the URL for the certificate revocation list (CRL) server. |
Sample Output
- show security pki ca-certificate (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
- show security pki ca-certificate ca-profile detail (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
show security pki ca-certificate (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
Starting in Junos OS Release 21.4R1, execute the show security pki ca-certificate
<ca-profile ca-profile-name> command to view the CA
profile name printed in the CA. The CA profile field in the output
represents the CA profile name printed in the CA. In this sample, the CA profile name
printed in the CA certificate is a Root-CA.
user@host> show security pki ca-certificate ca-profile Root-CA
LSYS: root-logical-system
CA profile: Root-CA
Certificate identifier: Root-CA
Issued to: Root-CA, Issued by: C = us, O = juniper, CN = Root-CA
Validity:
Not before: 05-19-2021 08:05 UTC
Not after: 05-17-2031 08:05 UTC
Public key algorithm: rsaEncryption(2048 bits)
Keypair Location: Keypair generated locally
show security pki ca-certificate ca-profile detail (MX240, MX480, MX960, SRX Series Firewalls and vSRX Virtual Firewall)
Starting in Junos OS Release 21.4R1, execute the show security pki ca-certificate
<ca-profile ca-profile-name> detail command to view:
- the CA profile name printed in the CA. The
CA profilefield in the output represents the CA profile name printed in the CA. In this sample, the CA profile name printed in the CA certificate isRoot-CA. - the SHA256 fingerprint for a CA certificate.
user@host> show security pki ca-certificate ca-profile Root-CA detail
LSYS: root-logical-system
CA profile: Root-CA
Certificate identifier: Root-CA
Certificate version: 3
Serial number:
hexadecimal: 0x00000d87
decimal: 3463
Issuer:
Organization: juniper, Country: us, Common name: Root-CA
Subject:
Organization: juniper, Country: us, Common name: Root-CA
Subject string:
C=us, O=juniper, CN=Root-CA
Validity:
Not before: 05-19-2021 08:05 UTC
Not after: 05-17-2031 08:05 UTC
Public key algorithm: rsaEncryption(2048 bits)
30:82:01:0a:02:82:01:01:00:cf:28:0c:04:ae:f0:89:f1:0a:cc:b3
5a:0a:d9:c7:0a:f3:90:2e:7d:06:73:a4:65:94:3d:53:d4:25:2e:40
11:98:4e:2f:52:53:1e:b3:69:2b:80:89:2e:b0:17:3a:3d:96:b3:70
26:f7:da:ae:4e:ba:15:50:db:42:bd:bc:8c:0c:fd:5b:8e:f5:fb:74
3c:48:8f:ec:c0:6a:5f:46:b3:1f:19:10:10:c4:e2:7e:e7:c5:ed:e1
ff:64:01:01:f5:69:82:47:7a:2f:4c:6f:52:df:a4:06:fb:f8:ac:04
3c:46:51:08:b4:5d:71:f3:69:a1:22:cb:53:18:74:bc:bf:4d:6b:4a
b0:cd:4c:60:38:5f:ec:a8:6d:6c:77:dd:ed:14:a1:5f:c7:84:a7:74
7a:6c:45:fa:4e:8a:db:8d:6c:ec:6a:25:fa:38:54:97:ac:0e:d0:12
48:e5:0f:10:b2:3d:b0:de:95:53:d3:c8:a5:dc:6f:ed:f5:7d:49:e3
b5:68:98:24:a7:8b:5d:a7:e5:98:de:51:b5:20:68:15:22:64:f1:c3
cc:c4:1a:1a:be:bf:cb:fb:a7:79:92:a8:45:a3:ef:0d:2e:0f:21:f4
5e:9d:77:1f:32:68:45:e1:93:ab:27:88:a6:c6:b2:81:55:a1:6d:c6
81:85:1b:7f:61:02:03:01:00:01
Signature algorithm: sha256WithRSAEncryption
Distribution CRL:
http://10.48.148.132:8080/crl-as-der/currentcrl-11.crl?id=11
Authority Information Access OCSP:
http://10.48.148.132:8090/Root-CA/
Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
Fingerprint:
b4:65:6b:a2:28:01:b1:76:26:8b:8f:4f:53:b9:50:a6:eb:df:39:3a (sha1)
14:c9:4f:da:96:15:94:6f:fa:5e:fd:60:ce:47:90:97 (md5)
49:ee:63:56:72:0b:f4:87:08:75:c9:1a:fa:6c:4d:c7:7c:2f:a2:21:31:68:30:67:87:37:cd:c0:86:34:1c:76 (sha256)
Release Information
Command modified in Junos OS Release 8.5.
Subject string output field added in Junos OS Release 12.1X44-D10. Policy identifier output field added in Junos OS Release 12.3X48-D10.
CA profile and (sha256) for Fingerprint
output field added in Junos OS Release 21.4R1.