Configuration Statements for Setting Up Digital Certificates for an ES PIC
To define the digital certificate configuration for an encryption service interface, include the following statements at the [edit security certificates] and [edit security ike] hierarchy levels:
[edit security]
cache-size bytes;
cache-timeout-negative seconds;
certification-authority ca-profile-name {
ca-name ca-identity;
crl filename;
encoding (binary | pem);
enrollment-url url-name;
file certificate-filename;
ldap-url url-name;
}
enrollment-retry attempts;
maximum-certificates number;
path-length certificate-path-length;
}
ike {
policy ike-peer-address {
description policy;
encoding (binary | pem);
identity identity-name;
local-certificate certificate-filename;
local-key-pair private-public-key-file;
mode (aggressive | main);
pre-shared-key (ascii-text key | hexadecimal key);
proposals [ proposal-names ];
}
}
The statements for configuring digital certificates differ for the AS and MultiServices PICs and the ES PIC.
For information about how to configure the description and mode statements, see Configuring the Description for an IKE Policy. For information about how to configure the IKE proposal, see Associating Proposals with an IKE Policy
For digital certificates, the Junos OS supports only VeriSign CAs for the ES PIC.