Is the following scenario possible ?.
Remote Device (Typically a laptop) has a certificate installed and connects to the SA 2000 , can the SA 2000 then go off and query our internal certificate server to check the certificate on the Remote Device , if the certificate's match then allow connection ?
If you are asking can you use a client based certificate for authentication the answer is yes:
The SA box will need to verify the client certificate against the matching "trusted client CA" on the SA box. You can define OCSP or CRL within that certificate for further valdiation of the cleint certificate.
Pretty straightforward to setup.
Apologies for the delay in replying to you !.
I am pretty new to Junipers & certificates in general, but what we want is not to have a certificate on the Juniper but to have it on a server somewhere and use the Juniper to check the connecting devices cert against that on the server...........or does it not work that way ?
It does not work that way. To use the cert for authentication you will need to implement as per my prior message. You can then also do a validation on the user cert but that is secondary.