How to generate a PKCS10 certificate request on a J Series or SRX Series device

Обновлено 01.08.2016

Juniper

Juniper

SUMMARY:

How to generate a PKCS10 certificate request on a J Series or SRX Series device

PROBLEM OR GOAL:

SOLUTION:

To request a PKI X.509 certificate follow the steps below using CLI:

1. Create a CA profile in security > pki hierarchy.Syntax:

set security pki ca-profile <ca-profile-name> ca-identity <CA-ID>

Example:

root@CORPORATE# set security pki ca-profile juniper-ca ca-identity TACLAB

root@CORPORATE# commit

2. Generate a key pair.

request security pki generate-key-pair certificate-id <cert-id-name> size <size>

 

    Size Possible completions:
      1024    1024 bits
      2048    2048 bits
      512     512 bits

Example:

root@CORPORATE> request security pki generate-key-pair certificate-id ms-cert size 1024
Generated key pair ms-cert, key size 1024 bits

3. Generate PKCS #10 certificate request.  You can either specify a filename or copy and paste the certificate request information (highlighted in RED below) directly in email to your CA.

request security pki generate-certificate-request certificate-id <cert-id-name> subject "subject-details" [ip-address | domain-name | email ] [filename]

    where "subject-details" format is "DC=<Domain-Component>,CN=<Common-Name>,OU=<Organizational-Unit-name>,O=<Organization-name>,L=<Locality>,ST=<state>,C=<Country>"

Example:
root@CORPORATE> request security pki generate-certificate-request certificate-id ms-cert subject "CN=John Doe,OU=Sales,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" ip-address 172.19.51.162

Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBzjCCATcCAQAwbDERMA8GA1UEAxMISm9obiBEb2UxDjAMBgNVBAsTBVNhbGVz
MRkwFwYDVQQKExBKdW5pcGVyIE5ldHdvcmtzMRIwEAYDVQQHEwlTdW5ueXZhbGUx
CzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA2oEJhU3bkXuL3r+Bpj3fr5A1NqgL7kd7JAUjavcQYq93tjEGKdcCGSVn
7zOjiuc8uNCk8SqZuyVWjHULeACUjnMs/N134egkl0oDtiEuU9ZStDT6yxbseD3d
/JnTh2TR1EEUCTQPMPJEce0szXXJnRHXp4pwYk3CRHNAEOoQCikCAwEAAaAiMCAG
CSqGSIb3DQEJDjETMBEwDwYDVR0RBAgwBocErBMzojANBgkqhkiG9w0BAQUFAAOB
gQDHUEx0VBDYHj/QgEy4ponzlJNSMKwtZpwARsAfjH4yp2BGpwBPToVwXlDzdKSb
cJKG4qwzQCsQH7CAav2j7EFDX1kdx7DZ2HbpyTPZEnIgio674aIc15jLm1VPDGdu
ZT6Gjt1QiHOC4MVSsdIKKcALYcaFtZOYX5PGqE1SMFUTFg==
-----END CERTIFICATE REQUEST-----

Fingerprint:
07:09:4c:0d:fe:5a:51:fc:1b:f0:da:98:0a:3f:bf:64:2f:a8:dd:14 (sha1)
54:09:9e:96:06:6f:fc:21:c4:e7:e2:13:5f:b4:08:77 (md5)

root@CORPORATE> show security pki certificate-request detail
Certificate identifier: ms-cert
Certificate version: 1
Issued to: CN = John Doe, OU = Sales, O = Juniper Networks, L = Sunnyvale, ST = CA, C = US
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:da:81:09:85:4d:db:91:7b:8b:de:bf:81:a6
3d:df:af:90:35:36:a8:0b:ee:47:7b:24:05:23:6a:f7:10:62:af:77
b6:31:06:29:d7:02:19:25:67:ef:33:a3:8a:e7:3c:b8:d0:a4:f1:2a
99:bb:25:56:8c:75:0b:78:00:94:8e:73:2c:fc:dd:77:e1:e8:24:97
4a:03:b6:21:2e:53:d6:52:b4:34:fa:cb:16:ec:78:3d:dd:fc:99:d3
87:64:d1:d4:41:14:09:34:0f:30:f2:44:71:ed:2c:cd:75:c9:9d:11
d7:a7:8a:70:62:4d:c2:44:73:40:10:ea:10:0a:29:02:03:01:00:01
Fingerprint:
3d:41:7f:84:9a:3b:11:6e:7e:f2:9d:10:d5:33:fe:8c:16:fd:c2:a9 (sha1)
71:a2:36:ba:6a:90:b9:16:ac:66:48:b0:cf:d3:58:24 (md5)

4.  Send certificate request to your Certificate Authority (CA).  Your CA will generate your local certificate and CA certificate.

Автор - Сёмин Иван

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *