Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Certificate Authority

A certificate authority (CA) profile define every parameter associated with a specific certificate to establish secure connection between two endpoints. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access.

Configuring a Trusted CA Group

This section describes the procedure to create a trusted CA group for a list of CA profiles and delete a trusted CA group.

Creating a Trusted CA Group for a List of CA Profiles

You can configure and assign a trusted CA group to authorize an entity. When a peer tries to establish a connection with a client, only the certificate issued by that particular trusted CA of that entity gets validated. The device validates if the issuer of the certificate and the one presenting the certificate belongs to the same client network. If the issuer and the presenter belong to the same client network then the connection is established. If not, the connection will not be established.

Before you begin, you must have a list of all the CA profiles you want to add to the trusted group.

In this example, we are creating three CA profiles named orgA-ca-profile, orgB-ca-profile, and orgC-ca-profile and associating the following CA identifiers ca-profile1, ca-profile2, and ca-profile3 for the respective profiles. You can group all the three CA profiles to belong to a trusted CA group orgABC-trusted-ca-group.

You can configure a maximum of 20 CA profiles for a trusted CA group.

  1. Create CA profiles and associate CA identifiers to the profile.
  2. Group the CA profiles under a trusted CA group.
  3. Commit the configuration when you are done configuring the CA profiles and the trusted CA groups.

To view the CA profiles and the trusted CA groups configured on your device, run show security pki command.

The show security pki command displays all the CA profiles that are grouped under the orgABC_trusted-ca-group.

Deleting a CA Profile from a Trusted CA Group

You can delete a specific CA profile in a trusted CA group or you can delete the trusted CA group itself.

For example, if you want to delete a CA profile named orgC-ca-profile from a trusted CA group orgABC-trusted-ca-group, configured on your device as shown in Configuring a Trusted CA Group topic perform the following steps:

  1. Delete a CA profile from the trusted CA group.
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.

To view the orgC-ca-profile being deleted from the orgABC-trusted-ca-group , run the show security pki command.

The output does not display the orgC-ca-profile profile as it is deleted from the trusted CA group.

Deleting a Trusted CA Group

An entity can support many trusted CA groups and you can delete any trusted CA group for an entity.

For example, if you want to delete a trusted CA group named orgABC-trusted-ca-group, configured on your device as shown in Configuring a Trusted CA Group topic perform the following steps:

  1. Delete a trusted CA group.
  2. If you are done deleting the CA profile from the trusted CA group, commit the configuration.

To view the orgABC-trusted-ca-group being deleted from the entity , run the show security pki command.

The output does not display the orgABC-trusted-ca-group as it is deleted from the entity.

Understanding Certificate Authority Profiles

A certificate authority (CA) profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create a new CA profile (for example, Microsoft-2008).

Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.

The PKI module supports IPv6 address format to enable the use of SRX Series Firewalls in networks where IPv6 is the only protocol used.

A CA issues digital certificates, which helps to establish secure connection between two endpoints through certificate validation. You can group multiple CA profiles in one trusted CA group for a given topology. These certificates are used to establish a connection between two endpoints. To establish IKE or IPsec, both the endpoints must trust the same CA. If either of the endpoints are unable to validate the certificate using their respective trusted CA (ca-profile) or trusted CA group, the connection is not established. A minimum of one CA profile is mandatory to create a trusted CA group and maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular endpoint.

Starting with Junos OS Release 18.1R1, validation of a configured IKE peer can be done with a specified CA server or group of CA servers. A group of trusted CA servers can be created with the trusted-ca-group configuration statement at the [edit security pki] hierarchy level; one or multiple CA profiles can be specified. The trusted CA server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate] hierarchy level.

If proxy profile is configured in CA profile, the device connects to the proxy host instead of the CA server while certificate enrollment, verification or revocation. The proxy host communicates with the CA server with the requests from the device, and then relay the response to the device.

CA proxy profile supports SCEP, CMPv2, and OCSP protocols.

CA proxy profile is supported only on HTTP and is not supported on HTTPS protocol.

Example: Configuring a CA Profile

This example shows how to configure a CA profile.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

In this example, you create a CA profile called ca-profile-ipsec with CA identity microsoft-2008. You then create proxy profile to the CA profile. The configuration specifies that the CRL be refreshed every 48 hours, and the location to retrieve the CRL is http://www.my-ca.com. Within the example, you set the enrollment retry value to 20. (The default retry value is 10.)

Automatic certificate polling is set to every 30 minutes. If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (or 15 minutes). If you do not configure retry or a retry interval, then there is no polling.

Configuration

Procedure

Step-by-Step Procedure

To configure a CA profile:

  1. Create a CA profile.

  2. Optionally, configure the proxy profile to the CA profile.

    Public key infrastructure (PKI) uses proxy profile configured at the system-level. The proxy profile being used in the CA profile must be configured at the [edit services proxy] hierarchy. There can be more than one proxy profile configured under [edit services proxy] hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure host and port of the proxy profile at the [edit system services proxy] hierarchy.

  3. Create a revocation check to specify a method for checking certificate revocation.

  4. Set the refresh interval, in hours, to specify the frequency in which to update the CRL. The default values are next-update time in CRL, or 1 week, if no next-update time is specified.

  5. Specify the enrollment retry value.

  6. Specify the time interval in seconds between attempts to automatically enroll the CA certificate online.

  7. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security pki command.

Example: Configuring an IPv6 address as the Source Address for a CA Profile

This example shows how to configure an IPv6 address as the source address for a CA profile.

No special configuration beyond device initialization is required before configuring this feature.

In this example, create a CA profile called orgA-ca-profile with CA identity v6-ca and set the source address of the CA profile to be an IPv6 address, such as 2001:db8:0:f101::1. You can configure the enrollment URL to accept an IPv6 address http://[2002:db8:0:f101::1]:/.../.

  1. Create a CA profile.
  2. Configure the source address of the CA profile to be an IPv6 address.
  3. Specify the enrollment parameters for the CA.
  4. If you are done configuring the device, commit the configuration.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.1R1
Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.
18.1R1
Starting with Junos OS Release 18.1R1, validation of a configured IKE peer can be done with a specified CA server or group of CA servers.