Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

certificate

Syntax

Hierarchy Level

Description

Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient.

Options

local-certificate certificate-id —Specify a particular certificate when the local device has multiple loaded certificates. The device deletes existing IKE and IPsec SAs when you update the local-certificate configuration in the IKE policy. Starting in Junos OS Release 19.1R1, a commit check is added to prevent user from adding ., /, %, and space in a certificate identifier while generating a local or remote certificates or a key pair.

peer-certificate-type—Specify a preferred type of certificate (PKCS7 or X509).

  • pkcs7—Public-Key Cryptography Standard #7.

  • x509-signature—X509 is an ITU-T standard for public key infrastructure. This is the default value.

policy-oids oid—Configure policy object identifiers (OIDs). This configuration is optional. Policy OID contained in a peer’s certificate or certificate chain. Up to five policy OIDs can be configured. Each OID can be up to 63 bytes long. You must ensure that at least one of the configured policy OIDs is included in a peer’s certificate or certificate chain. Note that the policy-oids field in a peer’s certificate is optional. If you configure policy OIDs in an IKE policy and the peer’s certificate chain does not contain any policy OIDs, certificate validation for the peer fails.

trusted-ca—Specify a name for the trusted CA group. A minimum of one CA profile is mandatory to create a trusted CA group and a maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular entity. Specify the preferred certificate authority (CA) to use when requesting a certificate from the peer. You can associate an IKE policy to a single trusted CA profile or a trusted CA group. During certificate validation the IKE policy will limit itself to the configured group of CAs while establishing a secure connection. Any certificate issued other than the single trusted CA or the trusted CA group are not validated.

  • ca-profile ca-profile-name—Specify a name for the CA profiles. A Certificate Authority (CA) is an entity that issues digital certificates which helps to establish secure connection between peers through certificate validation.

  • trusted-ca-group trusted-ca-group-name—Specify a name for the trusted CA group. A minimum of one CA profile is mandatory to create a trusted CA group and a maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular topology.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. policy-oids option added in Junos OS Release 12.3X48-D10. Support for trusted-ca option added in Junos OS Release 18.1R1.

Related Documentation