Certificate Authority
Learn about the certificate authority (CA) and understand how to manage CA.
A certificate authority (CA) profile define every parameter associated with a specific certificate to establish secure connection between two endpoints. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access.
Configure a Trusted CA Group
This section describes the procedure to create a trusted CA group for a list of CA profiles and delete a trusted CA group.
- Create a Trusted CA Group for a List of CA Profiles
- Delete a CA Profile from a Trusted CA Group
- Delete a Trusted CA Group
Create a Trusted CA Group for a List of CA Profiles
You can configure and assign a trusted CA group to authorize an entity. When a peer tries to establish a connection with a client, only the certificate issued by that particular trusted CA of that entity gets validated. The device validates if the issuer of the certificate and the one presenting the certificate belongs to the same client network. If the issuer and the presenter belong to the same client network then the connection is established. If not, the connection will not be established.
Before you begin, you must have a list of all the CA profiles you want to add to the trusted group.
In this example, we are creating three CA profiles named orgA-ca-profile
, orgB-ca-profile
, and orgC-ca-profile
and associating the following CA identifiers ca-profile1
, ca-profile2
, and ca-profile3
for the respective
profiles. You can group all the three CA profiles to belong to a trusted
CA group orgABC-trusted-ca-group
.
You can configure a maximum of 20 CA profiles for a trusted CA group.
To view the CA profiles and the trusted CA groups configured
on your device, run show security pki
command.
user@host# show security pki ca-profile orgA-ca-profile { ca-identity ca-profile1; } ca-profile orgB-ca-profile { ca-identity ca-profile2; } ca-profile orgC-ca-profile { ca-identity ca-profile3; } trusted-ca-group orgABC-trusted-ca-group { ca-profiles [ orgA-ca-profile orgB-ca-profile orgC-ca-profile ]; }
The show security pki
command displays all the CA
profiles that are grouped under the orgABC_trusted-ca-group
.
Delete a CA Profile from a Trusted CA Group
You can delete a specific CA profile in a trusted CA group or you can delete the trusted CA group itself.
For example, if you want to delete a CA profile named orgC-ca-profile
from a trusted CA group orgABC-trusted-ca-group
, configured on your device as shown in Configure a Trusted CA Group topic perform the following steps:
To view the orgC-ca-profile
being deleted from the orgABC-trusted-ca-group
, run the show security pki
command.
user@host# show security pki ca-profile orgA-ca-profile { ca-identity ca-profile1; } ca-profile orgB-ca-profile { ca-identity ca-profile2; } trusted-ca-group orgABC-trusted-ca-group { ca-profiles [ orgA-ca-profile orgB-ca-profile ]; }
The output does not display the orgC-ca-profile
profile
as it is deleted from the trusted CA group.
Delete a Trusted CA Group
An entity can support many trusted CA groups and you can delete any trusted CA group for an entity.
For example, if you want to delete a trusted CA group
named orgABC-trusted-ca-group
, configured on your device
as shown in Configure a Trusted CA Group topic perform the
following steps:
To view the orgABC-trusted-ca-group
being deleted
from the entity , run the show security pki
command.
user@host# show security pki ca-profile orgA-ca-profile { ca-identity ca-profile1; } ca-profile orgB-ca-profile { ca-identity ca-profile2; }
The output does not display the orgABC-trusted-ca-group
as it is deleted from the entity.
Certificate Authority Profiles
A certificate authority (CA) profile configuration contains information specific to a CA. You can have multiple CA profiles on an SRX Series Firewall. For example, you might have one profile for orgA and one for orgB. Each profile is associated with a CA certificate. If you want to load a new CA certificate without removing the older one then create a new CA profile (for example, Microsoft-2008).
Starting with Junos OS Release 18.1R1, the CA server can be an IPv6 CA server.
The PKI module supports IPv6 address format to enable the use of SRX Series Firewalls in networks where IPv6 is the only protocol used.
A CA issues digital certificates, which helps to establish secure connection between two endpoints through certificate validation. You can group multiple CA profiles in one trusted CA group for a given topology. These certificates are used to establish a connection between two endpoints. To establish IKE or IPsec, both the endpoints must trust the same CA. If either of the endpoints are unable to validate the certificate using their respective trusted CA (ca-profile) or trusted CA group, the connection is not established. A minimum of one CA profile is mandatory to create a trusted CA group and maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular endpoint.
Starting with Junos
OS Release 18.1R1, validation of a configured IKE peer can be done
with a specified CA server or group of CA servers. A group of trusted CA servers can be created with the trusted-ca-group
configuration statement at the [edit security pki
] hierarchy
level; one or multiple CA profiles can be specified. The trusted CA
server is bound to the IKE policy configuration for the peer at [edit security ike policy policy certificate
] hierarchy level.
If proxy profile is configured in CA profile, the device connects to the proxy host instead of the CA server while certificate enrollment, verification or revocation. The proxy host communicates with the CA server with the requests from the device, and then relay the response to the device.
CA proxy profile supports SCEP, CMPv2, and OCSP protocols.
CA proxy profile is supported only on HTTP and is not supported on HTTPS protocol.
Example: Configure a CA Profile
This example shows how to configure a CA profile.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you create a CA profile called ca-profile-ipsec
with CA identity microsoft-2008. You then create proxy profile to
the CA profile. The configuration specifies that the CRL be refreshed
every 48 hours, and the location to retrieve the CRL is http://www.my-ca.com
. Within the example, you set the enrollment retry value to 20. (The
default retry value is 10.)
Automatic certificate polling is set to every 30 minutes. If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (or 15 minutes). If you do not configure retry or a retry interval, then there is no polling.
Configuration
Procedure
Step-by-Step Procedure
To configure a CA profile:
Create a CA profile.
[edit] user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 user@host#
Optionally, configure the proxy profile to the CA profile.
[edit] user@host# set security pki ca-profile ca-profile-ipsec proxy-profile px-profile
Public key infrastructure (PKI) uses proxy profile configured at the system-level. The proxy profile being used in the CA profile must be configured at the
[edit services proxy]
hierarchy. There can be more than one proxy profile configured under[edit services proxy]
hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure host and port of the proxy profile at the[edit system services proxy]
hierarchy.Create a revocation check to specify a method for checking certificate revocation.
[edit] user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl
Set the refresh interval, in hours, to specify the frequency in which to update the CRL. The default values are next-update time in CRL, or 1 week, if no next-update time is specified.
[edit] user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl refresh-interval 48 url http://www.my-ca.com/my-crl.crl
Specify the enrollment retry value.
[edit] user@host# set security pki ca-profile ca-profile-ipsec enrollment retry 20
Specify the time interval in seconds between attempts to automatically enroll the CA certificate online.
[edit] user@host# set security pki ca-profile ca-profile-ipsec enrollment retry-interval 1800
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security pki
command.
Example: Configure an IPv6 address as the Source Address for a CA Profile
This example shows how to configure an IPv6 address as the source address for a CA profile.
No special configuration beyond device initialization is required before configuring this feature.
In this example, create a CA profile called orgA-ca-profile
with CA identity v6-ca
and set the source address of
the CA profile to be an IPv6 address, such as 2001:db8:0:f101::1
. You can configure the enrollment URL to accept an IPv6 address http://[2002:db8:0:f101::1]:/.../
.