Using Digital Certificates

Digital certificates authenticate your identity when establishing secure virtual private network (VPN) connections.

To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:

• Obtain a certificate authority (CA) certificate from which you intend to obtain a personal certificate, and then load the CA certificate in the device.

  The CA certificate can contain a certificate revocation list (CRL) to identify invalid certificates.

• Obtain a local certificate (also known as a personal certificate) from the CA whose CA certificate you have previously loaded, and then load the local certificate in the device. The local, or end-entity (EE), certificate establishes the identity of the Juniper Networks device with each tunnel connection.

You can obtain CA and local certificates manually, or online using Simple Certificate Enrollment Protocol (SCEP). Certificates are verifiable and renewable, and you can delete them when they are no longer needed.

This topic covers:

• Obtaining Digital Certificates Online
• Obtaining Digital Certificates Manually
• Verifying the Validity of a Certificate
• Deleting a Certificate

Obtaining Digital Certificates Online

Simple Certificate Enrollment Protocol (SCEP) uses the online method to request digital certificates. To obtain a certificate online, do the following:

1. Generate a key pair in the device. See Generating a Public-Private Key Pair .
2. Create a CA profile containing information specific to a CA. You can have multiple CA profiles on the device. For example, you might have one profile for Microsoft and one for Entrust. See Configuring a Certificate Authority Profile.
3. Enroll the CA certificate onto the device. See Enrolling a CA Certificate Online.
4. Obtain a local certificate (also known as a personal certificate) online from the CA whose CA certificate you have previously loaded. See Enrolling a Local Certificate Online .
5. Configure automatic re-enrollment. See Understanding SecurID User Authentication.

Obtaining Digital Certificates Manually

To obtain digital certificates manually, do the following:

1. Generate a key pair in the device. See Generating a Public-Private Key Pair .
2. Create a CA profile containing information specific to a CA. You can have multiple CA profiles on the device. For example, you might have one profile for Microsoft and one for Entrust. See Configuring a Certificate Authority Profile.
3. Generate a certificate request using the key pair, and manually copy that request and paste it into the appropriate field at the CA Web site to obtain a personal certificate (also known as a local certificate). See Generating a Local Certificate Request Manually.
4. Load the certificate onto the device. See Loading CA and Local Certificates Manually.
5. Configure automatic re-enrollment. See Understanding SecurID User Authentication.
6. If necessary, load the certificate's CRL on the device. See Manually Loading a CRL onto the Device.

Verifying the Validity of a Certificate

You can verify the validity of a certificate in one of the following ways:

• To verify manually, see Verifying Certificate Validity.
• To verify manually with CRLs, see Checking Certificate Validity Using CRLs.

Deleting a Certificate

To delete a certificate or a CRL, see “ Deleting Certificates” on page 177 and “ Deleting a Loaded CRL” on page 179.