Security
Security

Does the Junos OS device support PKCS10 for certificate requests, or PKCS12 certificate packages?

by Juniper Employee on ‎01-26-2016 08:03 AM - edited on ‎09-22-2017 04:05 PM by Administrator Administrator (1,010 Views)

Question

Does the Junos OS device support PKCS10 for certificate requests, or PKCS12 certificate packages?

Answer

The Junos OS device can generate PKCS10 certificate requests. You can copy these certificate requests using the command-line interface (CLI), send through e-mail, or upload to an FTP server.

 

However, the Junos OS device does not accept a PKCS12 file. The Junos OS device must generate its own private key. Also, a Junos OS device does not generate a PKCS12 file for exporting its private/public keys and certificate. This approach provides more protection and reduces the possibility that someone could steal a device keys and thereby impersonate that device.

 

The private key never leaves the Junos OS device. In future Junos OS Releases, you may copy the private key from the active to the backup unit of a device if that device is part of chassis clustering or a Junos OS Services Redundancy Protocol (JSRP) pair as in RTO (run-time object). For SRX Series devices, the keys are copied into the backup Routing Engine device.

 

Online Certificate Status Protocol (OCSP) is supported for revocation checking.

 

For more information, see Understanding Certificates and PKI