Understanding PKI CRLs (Certificate Revocation List ) logs

This article highlights important fields of PKI CRL command and debug output.

This article shows how to interpret PKI CRLs logs on a Junos device.

Understanding Certificate Revocation Lists:

For an explanation of ‘Understanding Certificate Revocation Lists’, refer to the technical documentation: http://www.juniper.net/techpubs/en_US/junos/topics/concept/certificate-crl-understanding.html

The important fields of PKI command output and debugs are highlighted below:


PKI ca-profile Configuration:

Important: For CA certificates, a DNS must be configured in the device’s configuration. The DNS must be able to resolve the host in the distribution CRL and in the CA cert/revocation list url in the ca-profile configuration. Additionally, the user must have network reachability to the same host in order for the checks to be received.

a) If revocation-check is disabled, this output will be displayed in the PKI traceoptions:

b) If revocation-check is enabled, output similar to this will be displayed in PKI traceoptions:

As a workaround, static-host-mapping was configured for this hostname:

c) If the CRL is already present in the device, output similar to this will be displayed in PKI traceoptions:


About the author


Leave a Comment