Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting Certificates (CLI Procedure)
- SRX Series
- Understanding Certificates and PKI
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting Certificates (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Digital Certificates Configuration Overview
You can obtain CA and local certificates manually, or online using the Simple Certificate Enrollment Protocol (SCEP). Certificates are verifiable and renewable, and you can delete them when they are no longer needed.
Junos OS Release 8.5 and earlier support only manual certificate requests. This process includes generation of a PKCS10 request, submission to the CA, retrieval of the signed certificate, and manually loading of the certificate into the Juniper Networks device.
Automatic sending of certificate requests through SCEP is supported only in Junos OS Release 9.0 or later.
To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:
- Obtain a CA certificate from which you intend to obtain a local certificate, and then load the CA certificate onto the device. The CA certificate can contain a CRL to identify invalid certificates.
- Obtain a local certificate from the CA whose CA certificate you have previously loaded, and then load the local certificate in the device. The local certificate establishes the identity of the Juniper Networks device with each tunnel connection.
This topic includes the following sections:
Enabling Digital Certificates Online: Configuration Overview
SCEP uses the online method to request digital certificates. To obtain a certificate online:
- Generate a key pair on the device. See Example: Generating a Public-Private Key Pair.
- Create a CA profile or profiles containing information specific to a CA. See Example: Configuring a CA Profile.
- Enroll the CA certificate. See Enrolling a CA Certificate Online Using SCEP.
- Enroll the local certificate from the CA whose CA certificate you have previously loaded. See Example: Enrolling a Local Certificate Online Using SCEP.
- Configure automatic reenrollment. See Example: Using SCEP to Automatically Renew a Local Certificate.
Manually Generating Digital Certificates: Configuration Overview
To obtain digital certificates manually:
- Generate a key pair on the device. See Example: Generating a Public-Private Key Pair.
- Create a CA profile or profiles containing information specific to a CA. See Example: Configuring a CA Profile.
- Generate the CSR for the local certificate and send it to the CA server. See Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server.
- Load the certificate onto the device. See Example: Loading CA and Local Certificates Manually.
- Configure automatic reenrollment. See Example: Using SCEP to Automatically Renew a Local Certificate.
- If necessary, load the certificate's CRL on the device. See Example: Manually Loading a CRL onto the Device.
- If necessary, configure the CA profile with CRL locations. See Example: Configuring a Certificate Authority Profile with CRL Locations
Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting Certificates (CLI Procedure)
- SRX Series
- Understanding Certificates and PKI
- Example: Verifying Certificate Validity
- Example: Configuring a Certificate Authority Profile with CRL Locations
- Deleting Certificates (CLI Procedure)
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
