show services ipsec-vpn certificates
Syntax
show services ipsec-vpn certificates <brief | detail> <service-set service-set>
Description
(Adaptive services interfaces only) Display local and remote certificates installed in the IPsec configuration memory cache that are used for the IKE negotiation.
Options
| none | (same as brief) Display information about local and remote certificates associated with all service sets. |
| brief | detail | (Optional) Display the specified level of output. |
| service-set service-set | (Optional) Display information about local and remote certificates associated with only the specified service set. |
Required Privilege Level
view
Output Fields
Table 1 lists the
output fields for the show services ipsec-vpn certificates command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
Level of Output |
|---|---|---|
Service set |
Name of the IPsec service set. |
All levels |
Total entries |
Number of certificate cache entries. |
All levels |
Certificate cache entry |
Identification number of the certificate cache entry. |
All levels |
Flags |
Information about the digital certificate, including whether the certificate is a root certificate and trusted. |
none brief |
Issued to |
Device that was issued the digital certificate. |
none brief |
Issued by |
Authority that issued the digital certificate. |
none brief |
Certificate version |
Revision number of the digital certificate. |
detail |
Serial number |
Unique serial number of the digital certificate. |
detail |
Alternate subject |
Domain name or IP address of the device related to the digital certificate. |
All levels |
Validity |
Time period when the digital certificate is valid. Values are:
|
none brief |
Public key algorithm |
Specifies the encryption algorithm used with the private key, such as rsaEncryption (1024 bits). |
detail |
Signature algorithm |
Encryption algorithm that the CA used to sign the digital certificate, such as sha1WithRSAEncryption. |
detail |
Fingerprint |
Secure Hash Algorithm (SHA1) and Message Digest 5 (MD5) hashes used to identify the digital certificate. |
detail |
Distribution CRL |
Distinguished name information and the URL for the certificate revocation list (CRL) server. |
detail |
Use for key |
Use of the public key, such as Certificate signing, CRL signing, Digital signature, or Key encipherment. |
detail |
Sample Output
show services ipsec-vpn certificates
user@host> show services ipsec-vpn certificates
Service set: serviceset-dynamic-BiEspsha3des, Total entries: 3
Certificate cache entry: 3
Flags: Non-root Trusted
Issued to: router3.example.com, Issued by: juniper
Alternate subject: router3.example.com
Validity:
Not before: 2005 Nov 21st, 23:33:58 GMT
Not after: 2008 Nov 22nd, 00:03:58 GMT
Certificate cache entry: 2
Flags: Non-root Trusted
Issued to: router2.example.com, Issued by: juniper
Alternate subject: router2.example.com
Validity:
Not before: 2005 Nov 21st, 23:28:22 GMT
Not after: 2008 Nov 21st, 23:58:22 GMT
Certificate cache entry: 1
Flags: Root Trusted
Issued to: juniper, Issued by: juniper
Validity:
Not before: 2005 Oct 18th, 23:54:22 GMT
Not after: 2025 Oct 19th, 00:24:22 GMT
show security ipsec-vpn certificates detail
user@host> show services ipsec-vpn certificates detail
Service set: serviceset-dynamic-BiEspsha3des, Total entries: 3
Certificate cache entry: 3
Certificate version: 3
Serial number: 4355 94f9
Alternate subject: router3.example.com
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
61:3a:d0:b4:7a:16:9b:39:ba:81:3f:9d:ab:34:e5:c8:be:3b:a1:6d (sha1)
60:a0:ff:58:05:4a:65:73:9d:74:3a:e1:83:6f:1b:c8 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature
Certificate cache entry: 2
Certificate version: 3
Serial number: 4355 94f8
Alternate subject: router2.example.com
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
30:c3:a4:04:da:33:9d:60:23:5a:48:75:48:2c:f0:c6:96:6c:31:fa (sha1)
9a:a2:ce:ef:7e:10:80:a0:c8:4d:2f:e7:e1:d3:69:9d (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: Digital signature
Certificate cache entry: 1
Certificate version: 3
Flags: Root
Serial number: 4355 9235
Public key algorithm: rsaEncryption
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10 (sha1)
71:6f:6a:76:17:9b:d6:2a:e7:5a:72:97:82:6d:26:86 (md5)
Distribution CRL:
C=us, O=juniper, CN=CRL1
http://CA-1/CRL/juniper_us_crlfile.crl
Use for key: CRL signing, Certificate signing
Release Information
Command introduced in Junos OS Release 7.5.