Example: Enrolling a Local Certificate Online Using SCEP

Requirements

Before you begin:

• Generate a public and private key pair. See Example: Generating a Public-Private Key Pair.
• Configure a certificate authority profile. See Example: Configuring a CA Profile.
• Enroll the CA certificate. See Enrolling a CA Certificate Online Using SCEP.

Overview

In this example, you configure your Juniper Networks device to obtain a local certificate online and start the online enrollment for the specified certificate ID with SCEP. You specify the CA profile name as ca-profile-ipsec and the CA location as http://10.155.8.1/certsrv/mscep/mscep.dll.

You will use the request security pki local-certificate enroll command to start the online enrollment for the specified certificate ID. You must specify the CA profile name (for example, ca-profile-ipsec), the certificate ID corresponding to a previously generated key-pair (for example, qqq), and the following information:

Note: SCEP sends a PKCS #10 format certificate request enveloped in PKCS #7 format.

• The challenge CA password for certificate enrollment and revocation—for example, aaa. If the CA does not provide the challenge password, then choose your own password.
• At least one of the following values:
  • The domain name to identify the certificate owner in IKE negotiations—for example, qqq.example.net.
  • The identity of the certificate owner for IKE negotiation with the e-mail statement—for example, qqq@example.net.
  • The IP address if the device is configured for a static IP address—for example, 10.10.10.10.
• Specify the subject name in the distinguished name format in quotation marks, including the domain component (DC), common name (CN), serial number (SN), organizational unit name (OU), organization name (O), locality (L), state (ST), and country (C).

Once the device certificate is obtained and the online enrollment begins for the certificate ID. The command is processed asynchronously.

Configuration

Step-by-Step Procedure

1. Specify the CA profile.
   [edit]user@host# set security pki ca-profile ca-profile-ipsec enrollment url http://10.155.8.1/certsrv/mscep/mscep.dll
2. If you are done configuring the device, commit the configuration.
   [edit]user@host# commit
3. Initiate the enrollment process by running the operational mode command.
   user@host> request security pki local-certificate enroll ca-profile ca-profile-ipsec certificate-id qqq challenge-password aaa domain-name qqq.example.net email qqq@example.net ip-address 10.10.10.10 subject DC=example, CN=router3, SN, OU=marketing, O=example, L=sunnyvale, ST=california, C=us

   Note: If you define SN in the subject field without the serial number, then the serial number will be read directly from the device and added to the certificate signing request (CSR).

Verification

To verify the configuration is working properly, enter the show security pki command.