Blog Viewer

FAQ: Public Key Infrastructure (PKI)

By Erdem posted 01-26-2016 08:28


A digital certificate is an electronic means for verifying your identity through a trusted third party, known as a certificate authority (CA). Alternatively, you can use a self-signed certificate to attest to your identity.


The CA server you use can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. If you use an independent CA, you must contact them for the addresses of their CA and certificate revocation list (CRL) servers (for obtaining certificates and CRLs) and for the information they require when submitting personal certificate requests. When you are your own CA, you determine this information yourself.


The Public Key Infrastructure (PKI) provides an infrastructure for digital certificate management. In general, PKI is a hierarchy of trust that enables users of a public network to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared with peers through a trusted authority.


Junos OS uses public/private keys in the following areas:

  • SSH/SCP (for secure command-line interface [CLI]-based administration)
  • Secure Sockets Layer (SSL)
  • Internet Key Exchange (IKE) (for IPsec VPN tunnels)

To ramp up on general certificates and PKI information, click: Understanding Certificates and PKI

This article provides answers to the most common questions about certificates and PKI for Junos OS devices.


  1. Does Juniper Networks provide a CA with its products?
  2. What version of X.509 certificates are supported (V1 or V3)?
  3. Does the Junos OS device support multiple certificates, or a hierarchical CA chain?
  4. Can the Junos OS device use the same DN for different local certificates, or auto-generate CN field values?
  5. Does the Junos OS device support PKCS10 for certificate requests, or PKCS12 certificate packages?
  6. Are there special characters to consider, or avoid, when doing PKI?
  7. What RFC does Juniper Networks support for PKI and its profile?
  8. What PKI objects are stored in memory and what are the average sizes?
  9. How do you disable CRL checking?
  10. Why does the Junos OS device not use or support two sets of keys for a virtual private network (VPN)?
  11. Does Junos OS support chassis clustering (high availability) for PKI certificates?
  12. How is the public key of a key pair bound to, or deleted from, a certificate request?

For more details on digital certificates, click Digital Certificates Overview