Dynamic Update of Trusted CA Certificates
Read this topic to understand and configure dynamic update of default trusted CA certificates on your Junos OS devices.
Dynamic Update of Trusted CA Certificates
The Junos OS device like an SRX Series Firewall provides a list of default trusted CA (Certificate Authority) certificates. These certificates are managed dynamically by the Junos OS device. You can also create a custom list of trusted CA certificates and load them into the device. But the custom trusted CA certificates needs to be managed manually. This section focuses on dynamic management of default trusted CA certificates.
With dynamic update of default trusted CA bundle -
-
Removal of a CA in the event of compromise is taken care automatically.
-
Addition of new CA to the default trusted CA bundle is immediate without having to wait for the new Junos OS release.
To load default trusted CA certificates, see request security pki ca-certificate ca-profile-group
load with filename default
option.
Tasks involved in dynamic update of trusted CA bundle
Following tasks are performed as part of dynamic update of default trusted CA bundle -
-
Juniper CDN server (http://signatures.juniper.net/cacert) hosts the default trusted CA certificates.
-
The server hosts signed copy of target file and manifest file along with the EE certificate to verify the signed copy of these files. The target file contains a list of default trusted CA certificates (
default-trusted-ca-certs
). The manifest file includes the revision number and date of modification of the default trusted CA bundle. -
Automatic download of trusted CA bundle is enabled by default in Junos OS device. You can either use default or non-default routing instance to connect to the Internet in order to download and update the default trusted CA certificates.
-
Public Key Management (PKI) process using PKID securely downloads the default trusted CA bundle (
default-trusted-ca-certs
) from the CDN server into the device.Dynamic update of trusted CA certificates does not manage any changes to the previously loaded
ca-profile-group
, manually added CA certificates and certificates that are part of other trusted groups. -
Once the
ca-profile-group
load
command is issued, PKI process loads the default trusted CA certificates in the background, unblocking the CLI, allowing you to proceed with other tasks. -
If there is no
ca-profile-group
associated withdefault-trusted-ca-certs
, with each periodic polling, PKI still downloads the latest copy of trusted CA bundle to the device. -
If a CA certificate is deleted from the default trusted CA list, the PKI process ensures all references to the CA certificate are removed. If any references are present in the
trusted-ca-group
, it only holds the references toca-profile
names with actual CA certificates already deleted. See Configuring Dynamic Updated of Trusted CA Certificates. -
PKI process periodically, by default every 24 hours, polls the CDN server for the latest default trusted CA bundle and updates the list for any changes to the trusted CAs in the bundle. If there are any changes, PKI process loads them in the background. You can optionally change the polling duration and also disable this auto-update process. See Configuring Dynamic Updated of Trusted CA Certificates.
Configure Dynamic Update of Trusted CA Certificates
Preprequisites
Before configuring dynamic update of default trusted CA certificates, ensure to meet the following prerequisites -
-
Basic configuration of Junos OS device is completed.
-
Your Junos OS device is reachable to Juniper CDN server. You can use non-default routing instance as well to connect to Internet to download the default trusted CA certificates. Ensure non-default routing instance is configured prior to configuring dynamic update of trusted CA certificates. Contact Juniper sales for Juniper CDN server details.
- For custom CDN server, ensure to have latest CA certificates and the URL. Configuration of custom CDN server is out of scope of this topic.
Based on your requirements, navigate to the following tasks to configure dynamic update of default trusted CA bundle.
- Check connectivity to the CDN server
- Enable automatic download of default trusted CA certificates
- Provide custom configuration for automatic download of default trusted CA certificates
- Download default trusted CA certificates explicitly
- Check the download status of default trusted CA certificates
- Deactivate automatic download of trusted CA certificates
Check connectivity to the CDN server
Overview
Use the following CLI to check connectivity to the CDN server for downloading default trusted CA certificates. This command downloads the manifest file and displays the trusted-ca-bundle version available in the CDN server.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs, for details about the command.
Configuration
-
To check connectivity to the CDN server from operational mode of the Junos OS device -
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download check-server
Enable automatic download of default trusted CA certificates
Overview
Juniper Networks regularly updates the default trusted CA certificates on Juniper CDN server and makes it available for download on Junos OS device. Automatic download of default trusted CA certificates is enabled by default on Junos OS device. You can customize the configuration and load the latest default trusted CA certificates at specified intervals. The default periodicity is 24 hours when you don’t specify a value. When you use the default Juniper CDN Server (http://signatures.juniper.net/cacert), no separate configuration is needed.
This example shows how to enable automatic download of default trusted CA certificates on Junos OS device using default configuration settings. See default-trusted-ca-certs (Security) for details about the configuration statement. Loading of the downloaded default trusted CA certificates automatically happens in the background using the statement request security pki ca-certificate ca-profile-group load command. You don't have to explicitly run this command to load the certificates.
Configuration
As automatic download of default trusted CA certificates is enabled by default, no separate configuration is needed.
Provide custom configuration for automatic download of default trusted CA certificates
Overview
In this example, you provide following custom configuration while enabling the automatic download of custom CA certificates -
-
Configure the Junos OS device to download and install the default trusted CA certificates every 48 hours.
-
Specify the custom CDN server reachable via the URL signatures.example.net.
-
Specify non-default routing instance to reach the CDN server.
See default-trusted-ca-certs (Security) for details about the configuration statement.
Configuration
Configuration
-
Set the periodicity of download and load operations to 48 hours. This CLI automatically loads the certificates into the Junos OS device.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download interval hours 48
-
Specify the custom URL.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download url signatures.example.net
-
Specify the routing instance.
[edit] user@host# set security pki default-trusted-ca-certs automatic-download routing-instance RI1
-
Commit the configuration.
[edit] user@host# commit
Download default trusted CA certificates explicitly
Overview
Use the following CLI to manually download default trusted CA certificates to the Junos OS device from the CDN server. This command is in addition to automatic download of default trusted CA certs at regular intervals.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs for details about the command.
Configuration
Configuration
-
To explicitly download default trusted CA certificates from operational mode of the Junos OS device -
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download
Check the download status of default trusted CA certificates
Overview
Use the following CLI to check the download status of default trusted CA certificates on the Junos OS device from the CDN server. This command displays the version number and version date. You can use this command to check the previous downloaded version and date.
See request security pki ca-certificate ca-profile-group default-trusted-ca-certs for details about the command.
Configuration
Configuration
-
To check the version number and version date available on the Junos OS device -
user@host> request security pki ca-certificate ca-profile-group default-trusted-ca-certs download status
Deactivate automatic download of trusted CA certificates
Overview
Automatic download is enabled by default. This example shows how to deactivate the automatic download of default trusted CA certificates, though we don't recommend.
See default-trusted-ca-certs (Security) for details about the configuration statement.
Configuration
Configuration
-
To deactivate automatic download of default trusted CA certificates -
[edit] user@host# set security pki default-trusted-ca-certs automatic-download deactivate
-
Commit the configuration.
[edit] user@host# commit