Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring a Device for Peer Certificate Chain Validation

    This example shows how to configure a device for certificate chains used to validate peer devices during IKE negotiation.

    Requirements

    Before you begin, obtain the address of the certificate authority (CA) and the information they require (such as the challenge password) when you submit requests for local certificates.

    Overview

    This example shows how to configure a local device for certificate chains, enroll CA and local certificates, check the validity of enrolled certificates, and check the revocation status of the peer device.

    This example shows the configuration and operational commands on Host-A, as shown in Figure 1. A dynamic CA profile is automatically created on Host-A to allow Host-A to download the CRL from Sales-CA and check the revocation status of Host-B’s certificate.

    Figure 1: Certificate Chain Example

    Certificate Chain Example

    Note: The IPsec VPN configuration for Phase 1 and Phase 2 negotiation is shown for Host-A in this example. The peer device (Host-B) must be properly configured so that Phase 1 and Phase 2 options are successfully negotiated and security associations (SAs) are established. See IPsec VPN Feature Guide for Security Devices for examples of configuring peer devices for VPNs.

    Configuration

    To configure a device for certificate chains:

    Configure CA Profiles

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security pki ca-profile Root-CA ca-identity CA-Rootset security pki ca-profile Root-CA enrollment url http://10.157.88.230:8080/scep/Root/set security pki ca-profile Root-CA revocation-check crlset security pki ca-profile Eng-CA ca-identity Eng-CAset security pki ca-profile Eng-CA enrollment url http://10.157.88.230:8080/scep/Eng/set security pki ca-profile Eng-CA revocation-check crlset security pki ca-profile Dev-CA ca-identity Dev-CAset security pki ca-profile Dev-CA enrollment url http://10.157.88.230:8080/scep/Dev/set security pki ca-profile Dev-CA revocation-check crl

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

    To configure CA profiles:

    1. Create the CA profile for Root-CA.
      [edit security pki]user@host# set ca-profile Root-CA ca-identity CA-Rootuser@host# set ca-profile Root-CA enrollment url http://10.157.88.230:8080/scep/Root/user@host# set ca-profile Root-CA revocation-check crl
    2. Create the CA profile for Eng-CA.
      [edit security pki]user@host# set ca-profile Eng-CA ca-identity Eng-CAuser@host# set ca-profile Eng-CA enrollment url http://10.157.88.230:8080/scep/Eng/user@host# set ca-profile Eng-CA revocation-check crl
    3. Create the CA profile for Dev-CA.
      [edit security pki]user@host# set ca-profile Dev-CA ca-identity Dev-CAuser@host# set ca-profile Dev-CA enrollment url http://10.157.88.230:8080/scep/Dev/user@host# set ca-profile Dev-CA revocation-check crl

    Results

    From configuration mode, confirm your configuration by entering the show security pki command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security pki
    ca-profile Root-CA {ca-identity Root-CA;enrollment {url "http:/;/10.157.88.230:8080/scep/Root/";}revocation-check {crl ;}}
    ca-profile Eng-CA {ca-identity Eng-CA;enrollment {url "http:/;/10.157.88.230:8080/scep/Eng/";}revocation-check {crl ;}}
    ca-profile Dev-CA {ca-identity Dev-CA;enrollment {url "http:/;/10.157.88.230:8080/scep/Dev/";}revocation-check {crl ;}}

    If you are done configuring the device, enter commit from configuration mode.

    Enroll Certificates

    Step-by-Step Procedure

    To enroll certificates:

    1. Enroll the CA certificates.
      user@host> request security pki ca-certificate enroll ca-profile Root-CA
      user@host> request security pki ca-certificate enroll ca-profile Eng-CA
      user@host> request security pki ca-certificate enroll ca-profile Dev-CA

      Type yes at the prompts to load the CA certificate.

    2. Verify that the CA certificates are enrolled in the device.
      user@host> show security pki ca-certificate ca-profile Root-CA
      Certificate identifier: Root-CA
        Issued to: Root-CA, Issued by: C = us, O = example, CN = Root-CA
        Validity:
          Not before: 08-14-2012 22:19
          Not after: 08-13-2017 22:19
        Public key algorithm: rsaEncryption(2048 bits)
      user@host> show security pki ca-certificate ca-profile Eng-CA
      Certificate identifier: Eng-CA
        Issued to: Eng-CA, Issued by: C = us, O = example, CN = Root-CA
        Validity:
          Not before: 08-15-2012 01:02
          Not after: 08-13-2017 22:19
        Public key algorithm: rsaEncryption(2048 bits)
      user@host> show security pki ca-certificate ca-profile Dev-CA
              Certificate identifier: Dev-CA
        Issued to: Dev-CA, Issued by: C = us, O = example, CN = Eng-CA
        Validity:
          Not before: 08-15-2012 17:41
          Not after: 08-13-2017 22:19
        Public key algorithm: rsaEncryption(2048 bits)
    3. Verify the validity of the enrolled CA certificates.
      user@host> request security pki ca-certificate verify ca-profile Root-CA
      CA certificate Root-CA verified successfully
      user@host> request security pki ca-certificate verify ca-profile Eng-CA
      CA certificate Eng-CA verified successfully
      user@host> request security pki ca-certificate verify ca-profile Dev-CA
      CA certificate Dev-CA verified successfully
    4. Enroll the local certificate.
      user@host> request security pki local-certificate enroll certificate-id Host-A ca-profile Dev-CA challenge-password example domain-name host-a.example.net email host-a@example.net subject DC=example,CN=Host-A, OU=DEV,O=PKI,L=Sunnyvale,ST=CA,C=US
    5. Verify that the local certificate is enrolled in the device.
      user@host> show security pki local-certificate
      Issued to: Host-A, Issued by: C = us, O = example, CN = Dev-CA
        Validity:
          Not before: 09-17-2012 22:22
          Not after: 08-13-2017 22:19
        Public key algorithm: rsaEncryption(1024 bits)
    6. Verify the validity of the enrolled local certificate.
      user@host> request security pki local-certificate verify certificate-id Host-A
      Local certificate Host-A verification success
    7. Check the CRL download for configured CA profiles.
      user@host> show security pki crl
           CA profile: Root-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Root-CA
        Effective date: 09- 9-2012 13:08
        Next update: 09-21-2012 02:55

      CA profile: Eng-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Eng-CA
        Effective date: 08-22-2012 17:46
        Next update: 10-24-2015 03:33

      CA profile: Dev-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Dev-CA
        Effective date: 09-14-2012 21:15
        Next update: 09-26-2012 11:02

    Configure IPsec VPN Options

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security ike proposal ike_cert_prop_01 authentication-method rsa-signaturesset security ike proposal ike_cert_prop_01 dh-group group5set security ike proposal ike_cert_prop_01 authentication-algorithm sha1set security ike proposal ike_cert_prop_01 encryption-algorithm aes-256-cbc set security ike policy ike_cert_pol_01 mode mainset security ike policy ike_cert_pol_01 proposals ike_cert_prop_01set security ike policy ike_cert_pol_01 certificate local-certificate Host-Aset security ike gateway ike_cert_gw_01 ike-policy ike_cert_pol_01set security ike gateway ike_cert_gw_01 address 30.1.1.51set security ike gateway ike_cert_gw_01 external-interface ge-0/0/1.0set security ike gateway ike_cert_gw_01 local-identity 30.1.1.31set security ipsec proposal ipsec_prop_01 protocol espset security ipsec proposal ipsec_prop_01 authentication-algorithm hmac-sha1-96set security ipsec proposal ipsec_prop_01 encryption-algorithm 3des-cbcset security ipsec proposal ipsec_prop_01 lifetime-seconds 300 set security ipsec policy ipsec_pol_01 proposals ipsec_prop_01 set security ipsec vpn ipsec_cert_vpn_01 bind-interface st0.1set security ipsec vpn ipsec_cert_vpn_01 ike gateway ike_cert_gw_01set security ipsec vpn ipsec_cert_vpn_01 ike ipsec-policy ipsec_pol_01

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

    To configure IPsec VPN options:

    1. Configure Phase 1 options.
      [edit security ike proposal ike_cert_prop_01]user@host# set authentication-method rsa-signaturesuser@host# set dh-group group5user@host# set authentication-algorithm sha1user@host# set encryption-algorithm aes-256-cbc[edit security ike policy ike_cert_pol_01]user@host# set mode mainuser@host# set proposals ike_cert_prop_01user@host# set certificate local-certificate Host-A[edit security ike gateway ike_cert_gw_01]user@host# set ike-policy ike_cert_pol_01user@host# set address 30.1.1.51user@host# set external-interface ge-0/0/1.0user@host# set local-identity 30.1.1.31
    2. Configure Phase 2 options.
      [edit security ipsec proposal ipsec_prop_01]user@host# set protocol espuser@host# set authentication-algorithm hmac-sha1-96user@host# set encryption-algorithm 3des-cbcuser@host# set lifetime-seconds 300[edit security ipsec policy ipsec_pol_01]user@host# set proposals ipsec_prop_01[edit security ipsec vpn ipsec_cert_vpn_01]user@host# set bind-interface st0.1user@host# set ike gateway ike_cert_gw_01user@host# set ike ipsec-policy ipsec_pol_01

    Results

    From configuration mode, confirm your configuration by entering the show security ike and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security ike
    proposal ike_cert_prop_01 {authentication-method rsa-signatures;dh-group group5;authentication-algorithm sha1;encryption-algorithm aes-256-cbc;}policy ike_cert_pol_01 {mode main;proposals ike_cert_prop_01;certificate {local-certificate Host-A;}}gateway ike_cert_gw_01 {ike-policy ike_cert_pol_01;address 30.1.1.51;external-interface ge-0/0/1.0;}
    [edit]user@host# show security ipsec
    proposal ipsec_prop_01 {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 300;}policy ipsec_pol_01 {proposals ipsec_prop_01;}vpn ipsec_cert_vpn_01 {bind-interface st0.1;ike {gateway ike_cert_gw_01;ipsec-policy ipsec_pol_01;}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    If certificate validation is successful during IKE negotiation between peer devices, both IKE and IPsec security associations (SAs) are established.

    Verifying IKE Phase 1 Status

    Purpose

    Verify the IKE Phase 1 status.

    Action

    Enter the show security ike security-associations command from operational mode.

    user@host> show security ike security-associations
        Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
    2090205 UP     285feacb50824495  59fca3f72b64da10  Main           30.1.1.51

    Verifying IPsec Phase 2 Status

    Purpose

    Verify the IPsec Phase 2 status.

    Action

    Enter the show security ipsec security-associations command from operational mode.

    user@host> show security ipsec security-associations
          Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
      <131073 ESP:3des/sha1 a4756de9 207/  unlim   -   root 500   30.1.1.51       
      >131073 ESP:3des/sha1 353bacd3 207/  unlim   -   root 500   30.1.1.51

    IKE and IPsec SA Failure for a Revoked Certificate

    Checking for Revoked Certificates

    Problem

    If certificate validation fails during IKE negotiation between peer devices, check to make sure that the peer’s certificate has not been revoked. A dynamic CA profile allows the local device to download the CRL from the peer’s CA and check the revocation status of the peer’s certificate. To enable dynamic CA profiles, the revocation-check crl option must be configured on a parent CA profile.

    Solution

    To check the revocation status of a peer’s certificate:

    1. Identify the dynamic CA profile that will show the CRL for the peer device by entering the show security pki crl command from operational mode.
      user@host> show security pki crl
           CA profile: Root-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Root-CA
        Effective date: 09- 9-2012 13:08
        Next update: 09-21-2012 02:55

      CA profile: Eng-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Eng-CA
        Effective date: 08-22-2012 17:46
        Next update: 10-24-2015 03:33

      CA profile: Dev-CA
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Dev-CA
        Effective date: 09-14-2012 21:15
        Next update: 09-26-2012 11:02

      CA profile: dynamic-001
        CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Sales-CA
        Effective date: 09-14-2012 21:15
        Next update: 09-26-2012 11:02

      The CA profile dynamic-001 is automatically created on Host-A so that Host-A can download the CRL from Host-B’s CA (Sales-CA) and check the revocation status of the peer’s certificate.

    2. Display CRL information for the dynamic CA profile by entering the show security pki crl ca-profile dynamic-001 detail command from operational mode.

      Enter

      user@host> show security pki crl ca-profile dynamic-001 detail
          CA profile: dynamic-001
      CRL version: V00000001
        CRL issuer: C = us, O = example, CN = Sub11
        Effective date: 09-19-2012 17:29
        Next update: 09-20-2012 01:49
        Revocation List: 
          Serial number              Revocation date
          10647C84                   09-19-2012 17:29 UTC

      Host-B’s certificate (serial number 10647084) has been revoked.

     

    Related Documentation

     

    Modified: 2016-07-06

    Previous Page Next Page