Introduction to PKI in Junos OS
This topic describes the basic elements of public key infrastructure (PKI) in Junos OS, including components of the PKI, certificate life cycle management, and usage within Internet Key Exchange (IKE) and includes the following sections:
Fundamentals of the PKI
Junos OS is the Juniper Networks single operating system and provides the following features:
Powerful operating system with rich IP services toolkit.
Unmatched IP dependability and security to ensure an efficient and predictable IP infrastructure.
Enhanced security and VPN capabilities from Juniper Networks Firewall/IP Security (IPsec) VPN platforms including the SSG product family.
For more details on digital certificates, see the Junos OS System Basics Guide available at: https://www.juniper.net/documentation/software/junos/.
For information on crypto, RSA, and PKI, visit the website http://www.rsasecurity.com/rsalabs.
For a list of PKI-related technical terms, see the Glossary of PKI Related Terms.
PKI Applications Overview
The Junos OS uses public/private keys in the following areas:
SSH/SCP (for secure command-line interface [CLI]-based administration)
Secure Sockets Layer (SSL) (for secure Web-based administration and for https-based webauth for user authentication)
Internet Key Exchange (IKE) (for IPsec VPN tunnels)
Note the following points:
Currently Junos OS supports only IKE (using public key infrastructure (PKI) certificates for public key validation).
Support for identity binding with SSL is currently not available. A brief section on SSL is included in this topic. For more information, see Overview on Usage of SSL and IPsec/IKE Methods.
The SSH and SCP are used exclusively for system administration and depends on the use of out-of-band fingerprints for public key identity binding and validation. Details on SSH are not covered in this topic.
Components for Administering PKI in Junos OS
The following components are required for administrating PKI in Junos OS:
CA certificates and authority configuration
Local certificates including the devices identity (example: IKE ID type and value) and private and public keys
Certificate validation through a certificate revocation list (CRL)
Basic Elements of PKI in Junos OS
Junos OS supports three specific types of PKI objects:
Private/public key pair
Certificates
Local certificate—The local certificate contains the public key and identity information for the Juniper Networks device. The Juniper Networks device owns the associated private key. This certificate is generated based on a certificate request from the Juniper Networks device.
Pending certificate — A pending certificate contains a key pair and identity information that is generated into a PKCS10 certificate request and manually sent to a certificate authority (CA). While the Juniper Networks device waits for the certificate from the CA, the existing object (key pair and the certificate request) is tagged as a certificate request or pending certificate.
Note:Junos OS Release 9.0 and later supports automatic sending of certificate requests through SCEP. For more information, see Appendix D: Simple Certificate Enrollment Protocol .
CA certificate — When the certificate is issued by the CA and loaded into the Junos OS device, the pending certificate is replaced by the newly generated local certificate. All other certificates loaded into the device are considered CA certificates.
Certificate revocation lists (CRLs)
Note the following points about certificates:
Local certificates are generally used when a Junos OS device has VPNs in more than one administrative domain.
All PKI objects are stored in a separate partition of persistent memory, apart from the Junos OS image and the system’s general configuration.
Each PKI object has a unique name or certificate-ID given to it when it is created and maintains that ID until its deletion. You can view the certificate-ID by using the
show security pki local-certificatecommand.A certificate cannot be copied from a device under most circumstances. The private key on a device must be generated on that device only, and it should never be viewed or saved from that device. So PKCS12 files (which contain a certificate with the public key and the associated private key) are not supported on Junos OS devices.
CA certificates validate the certificates received by the IKE peer. If the certificate is valid, then it is verified in the CRL to see whether the certificate has been revoked.
Each CA certificate includes a CA profile configuration that stores the following information:
CA identity, which is typically the domain name of the CA
E-mail address for sending the certificate requests directly to the CA
Revocation settings:
Revocation check enable/disable option
Disabling of revocation check in case of CRL download failure.
Location of CRL Distribution Point (CDP) (for manual URL setting)
CRL refresh interval
Junos OS supports multiple local certificates, depending on the device size. See Appendix A: Frequently Asked Questions for details.
Table 1 provides information on possible PKI objects and their average sizes.
PKI Objects |
Average Sizes |
|---|---|
Private/public key pair |
1 KB |
Local certificate |
2 KB |
CA certificate |
2 KB |
CA authority configuration |
500 bytes |
CRL (average size is a variable that depends on how many certificates have been revoked by that particular CA) |
300 bytes up to 2 MB+ |
Example:
Calculating flash memory requirements:
Assume the following settings in a Junos OS device:
An average CRL of 10 KB
One local certificate, one CA certificate, and CA authority configuration
The flash memory requirements for CRL =
2 KB (local certificate) + 1 KB (key pair) + 2 KB (CA certificate) + 0.5 (CA authority configuration) + 10 (CRL) = 15.5 KB