Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Public Key Infrastructure User Guide Public Key Infrastructure PKI Certificates

Public Key Infrastructure User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Public Key Infrastructure User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Certificate Authority

date_range 09-Dec-24
arrow_backward
arrow_forward

Learn about the certificate authority (CA) and understand how to manage CA.

A certificate authority (CA) profile define every parameter associated with a specific certificate to establish secure connection between two endpoints. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access.

Configure a Trusted CA Group

This section describes the procedure to create a trusted CA group for a list of CA profiles and delete a trusted CA group.

Create a Trusted CA Group for a List of CA Profiles

You can configure and assign a trusted CA group to authorize an entity. When a peer tries to establish a connection with a client, only the certificate issued by that particular trusted CA of that entity gets validated. The device validates if the issuer of the certificate and the one presenting the certificate belongs to the same client network. If the issuer and the presenter belong to the same client network then the connection is established. If not, the connection will not be established.

Before you begin, you must have a list of all the CA profiles you want to add to the trusted group.

In this example, we are creating three CA profiles named orgA-ca-profile, orgB-ca-profile, and orgC-ca-profile and associating the following CA identifiers ca-profile1, ca-profile2, and ca-profile3 for the respective profiles. You can group all the three CA profiles to belong to a trusted CA group orgABC-trusted-ca-group.

You can configure a maximum of 20 CA profiles for a trusted CA group.

  1. Create CA profiles and associate CA identifiers to the profile.
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile orgA-ca-profile ca-identity ca-profile1
user@host# set security pki ca-profile orgB-ca-profile ca-identity ca-profile2 
user@host# set security pki ca-profile orgC-ca-profile ca-identity ca-profile3
  2. Group the CA profiles under a trusted CA group.
    content_copy zoom_out_map
    [edit]
set security pki trusted-ca-group orgABC-trusted-ca-group ca-profiles [orgA-ca-profile orgB-ca-profile orgC-ca-profile]]
  3. Commit the configuration when you are done configuring the CA profiles and the trusted CA groups.
    content_copy zoom_out_map
    [edit]
user@host# commit

To view the CA profiles and the trusted CA groups configured on your device, run show security pki command.

content_copy zoom_out_map
user@host# show security pki
ca-profile orgA-ca-profile {
    ca-identity ca-profile1;
}
ca-profile orgB-ca-profile {
    ca-identity ca-profile2;
}
ca-profile orgC-ca-profile {
    ca-identity ca-profile3;
}
trusted-ca-group orgABC-trusted-ca-group {
    ca-profiles [ orgA-ca-profile orgB-ca-profile orgC-ca-profile ];
}

The show security pki command displays all the CA profiles that are grouped under the orgABC_trusted-ca-group.

Delete a CA Profile from a Trusted CA Group

You can delete a specific CA profile in a trusted CA group or you can delete the trusted CA group itself.

For example, if you want to delete a CA profile named orgC-ca-profile from a trusted CA group orgABC-trusted-ca-group, configured on your device as shown in Configure a Trusted CA Group topic perform the following steps:

  1. Delete a CA profile from the trusted CA group.
    content_copy zoom_out_map
    [edit]
user@host# delete security pki trusted-ca-group orgABC-trusted-ca-group ca-profiles orgC-ca-profile
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.
    content_copy zoom_out_map
    [edit]
user@host# commit

To view the orgC-ca-profile being deleted from the orgABC-trusted-ca-group , run the show security pki command.

content_copy zoom_out_map
user@host# show security pki
ca-profile orgA-ca-profile {
    ca-identity ca-profile1;
}
ca-profile orgB-ca-profile {
    ca-identity ca-profile2;
}
trusted-ca-group orgABC-trusted-ca-group {
    ca-profiles [ orgA-ca-profile orgB-ca-profile ];
}

The output does not display the orgC-ca-profile profile as it is deleted from the trusted CA group.

Delete a Trusted CA Group

An entity can support many trusted CA groups and you can delete any trusted CA group for an entity.

For example, if you want to delete a trusted CA group named orgABC-trusted-ca-group, configured on your device as shown in Configure a Trusted CA Group topic perform the following steps:

  1. Delete a trusted CA group.
    content_copy zoom_out_map
    [edit]
user@host# delete security pki trusted-ca-group orgABC-trusted-ca-group
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.
    content_copy zoom_out_map
    [edit]
user@host# commit

To view the orgABC-trusted-ca-group being deleted from the entity , run the show security pki command.

content_copy zoom_out_map
user@host# show security pki
ca-profile orgA-ca-profile {
    ca-identity ca-profile1;
}
ca-profile orgB-ca-profile {
    ca-identity ca-profile2;
}

The output does not display the orgABC-trusted-ca-group as it is deleted from the entity.

Certificate Authority Profiles

A certificate authority (CA) profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create a new CA profile (for example, Microsoft-2008).

Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.

The PKI module supports IPv6 address format to enable the use of SRX Series Firewalls in networks where IPv6 is the only protocol used.

A CA issues digital certificates, which helps to establish secure connection between two endpoints through certificate validation. You can group multiple CA profiles in one trusted CA group for a given topology. These certificates are used to establish a connection between two endpoints. To establish IKE or IPsec, both the endpoints must trust the same CA. If either of the endpoints are unable to validate the certificate using their respective trusted CA (ca-profile) or trusted CA group, the connection is not established. A minimum of one CA profile is mandatory to create a trusted CA group and maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular endpoint.

Starting with Junos OS Release 18.1R1, validation of a configured IKE peer can be done with a specified CA server or group of CA servers. A group of trusted CA servers can be created with the trusted-ca-group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

If proxy profile is configured in CA profile, the device connects to the proxy host instead of the CA server while certificate enrollment, verification or revocation. The proxy host communicates with the CA server with the requests from the device, and then relay the response to the device.

CA proxy profile supports SCEP, CMPv2, and OCSP protocols.

CA proxy profile is supported only on HTTP and is not supported on HTTPS protocol.

Example: Configure a CA Profile

This example shows how to configure a CA profile.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you create a CA profile called ca-profile-ipsec with CA identity microsoft-2008. You then create proxy profile to the CA profile. The configuration specifies that the CRL be refreshed every 48 hours, and the location to retrieve the CRL is http://www.my-ca.com. Within the example, you set the enrollment retry value to 20. (The default retry value is 10.)

Automatic certificate polling is set to every 30 minutes. If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (or 15 minutes). If you do not configure retry or a retry interval, then there is no polling.

Configuration

Procedure

Step-by-Step Procedure

To configure a CA profile:

  1. Create a CA profile.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008
user@host#

  2. Optionally, configure the proxy profile to the CA profile.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec proxy-profile px-profile

    Public key infrastructure (PKI) uses proxy profile configured at the system-level. The proxy profile being used in the CA profile must be configured at the [edit services proxy] hierarchy. There can be more than one proxy profile configured under [edit services proxy] hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure host and port of the proxy profile at the [edit system services proxy] hierarchy.

  3. Create a revocation check to specify a method for checking certificate revocation.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl

  4. Set the refresh interval, in hours, to specify the frequency in which to update the CRL. The default values are next-update time in CRL, or 1 week, if no next-update time is specified.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl refresh-interval 48 url http://www.my-ca.com/my-crl.crl

  5. Specify the enrollment retry value.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec enrollment retry 20

  6. Specify the time interval in seconds between attempts to automatically enroll the CA certificate online.

    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile ca-profile-ipsec enrollment retry-interval 1800

  7. If you are done configuring the device, commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit

Verification

To verify the configuration is working properly, enter the show security pki command.

Example: Configure an IPv6 address as the Source Address for a CA Profile

This example shows how to configure an IPv6 address as the source address for a CA profile.

No special configuration beyond device initialization is required before configuring this feature.

In this example, create a CA profile called orgA-ca-profile with CA identity v6-ca and set the source address of the CA profile to be an IPv6 address, such as 2001:db8:0:f101::1. You can configure the enrollment URL to accept an IPv6 address http://[2002:db8:0:f101::1]:/.../.

  1. Create a CA profile.
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile orgA-ca-profile ca-identity v6_ca
  2. Configure the source address of the CA profile to be an IPv6 address.
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile v6_ca source-address 2001:db8:0:f101::1
  3. Specify the enrollment parameters for the CA.
    content_copy zoom_out_map
    [edit]
user@host# set security pki ca-profile v6_ca enrollment url http://[2002:db8:0:f101::1]:/.../
  4. If you are done configuring the device, commit the configuration.
    content_copy zoom_out_map
    [edit]
user@host# commit
arrow_backward PREVIOUS Digital Certificates
NEXT arrow_forward Self-Signed Digital Certificates
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top