[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Enrolling a Local Certificate Online

With Simple Certificate Enrollment Protocol (SCEP), you can configure your Juniper Networks device to obtain a local certificate online and start the online enrollment for the specified certificate ID.

Before You Begin
Generate a public and private key pair. See Generating a Public-Private Key Pair . Configure a CA profile. See Configuring a Certificate Authority Profile. Enroll a CA certificate. See Enrolling a CA Certificate Online. For background information, read: Public Key Cryptography for Certificates Understanding Certificates Understanding Certificate Revocation Lists Using Digital Certificates

This topic covers:

CLI Configuration

To configure the device for online enrollment:

Specify the CA profile—for example, wincs-5—and specify the CA location for your device to send the SCEP-based certificate enrollment requests. To specify the CA location by naming the CA URL, include the url statement. For example:
user@host# set security pki ca-profile wincs-5 enrollment url http://10.155.8.1/certsrv/mscep/mscep.dll

Using the request security pki local-certificate enroll command, start the online enrollment for the specified certificate ID. You must specify the CA profile name (for example, wincs-5), the certificate ID (for example, qqq), and the following information:

Note: SCEP sends a PKCS-10 format certificate request enveloped in PKCS-7 format.

Specify the challenge CA password for certificate enrollment and revocation—for example, aaa. If the CA does not provide the challenge password, then choose your own password.
Specify at least one of the following values:
- Enter the domain name to identify the certificate owner in IKE negotiations—for example, qqq.juniper.net.
- Specify the identity of the certificate owner for IKE negotiation with the e-mail statement—for example, qqq@juniper.net.
- Enter an IP address if the Service router is configured for a static IP address—for example, 10.10.10.10.
Specify the subject name in the distinguished name format in quotation marks, including the domain component (DC), common name (CN), organizational unit name (OU), organization name (O), locality (L), state (ST), and country (C).
For example:

user@host> request security pki local-certificate enroll ca-profile wincs-5 certificate-id qqq challenge-password aaa domain-name qqq.juniper.net email qqq@juniper.net ip-address 10.10.10.10 subject DC=juniper, CN=router3, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us

The device certificate is obtained and the online enrollment begins for the certificate ID. The command is processed asynchronously.

Go on to Re-enrolling Local Certificates Automatically

The device certificate is obtained and the online enrollment begins for the certificate ID. The command is processed asynchronously.

Go on to Understanding SecurID User Authentication.

Enrolling a Local Certificate Online

CLI Configuration

Related Topics