Related Documentation
- M Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Requesting a CA Digital Certificate for an ES PIC on an M Series or T Series Router
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
- MX Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
- T Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Requesting a CA Digital Certificate for an ES PIC on an M Series or T Series Router
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
Digital Certificates Overview
A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered.
A certificate includes the following information:
- The distinguished name (DN) of the owner. A DN is a unique identifier and consists of a fully qualified name including the common name (CN) of the owner, the owner’s organization, and other distinguishing information.
- The public key of the owner.
- The date on which the certificate was issued.
- The date on which the certificate expires.
- The distinguished name of the issuing CA.
- The digital signature of the issuing CA.
The additional information in a certificate allows recipients to decide whether to accept the certificate. The recipient can determine if the certificate is still valid based on the expiration date. The recipient can check whether the CA is trusted by the site based on the issuing CA.
With a certificate, a CA takes the owner’s public key, signs that public key with its own private key, and returns this to the owner as a certificate. The recipient can extract the certificate (containing the CA’s signature) with the owner’s public key. By using the CA’s public key and the CA’s signature on the extracted certificate, the recipient can validate the CA’s signature and owner of the certificate.
When you use digital certificates, your first send in a request to obtain a certificate from your CA. You then configure digital certificates and a digital certificate IKE policy. Finally, you obtain a digitally signed certificate from a CA.
 | Note: Certificates without an alternate subject name are not appropriate for IPsec services. |
Related Documentation
- M Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Requesting a CA Digital Certificate for an ES PIC on an M Series or T Series Router
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
- MX Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
- T Series
- Configuration Statements for Configuring Digital Certificates for an ES PIC
- Obtaining a Certificate from a Certificate Authority for an ES PIC
- Requesting a CA Digital Certificate for an ES PIC on an M Series or T Series Router
- Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
- Configuring Digital Certificates for an ES PIC
- Configuring an IKE Policy for Digital Certificates for an ES PIC
- Associating the Configured Security Association with a Logical Interface
