Configuring Digital Certificates Using the Offline Method

To use the offline method to set up digital certificates on the router:

  1. Generate RSA key pairs.
    host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
  2. In your IKE policy, set the authentication method to RSA signatures.
    host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit host1(config)#

    Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPsec.

  3. Enter IPsec Identity Configuration mode.
    host1(config)#ipsec identity host1(config-ipsec-identity)#
  4. Specify the information that the router uses to generate a certificate request.
    1. Specify a country name.
      host1(config-ipsec-identity)#country CA
    2. Specify a common name.
      host1(config-ipsec-identity)#common-name Jim
    3. Specify a domain name.
      host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
    4. Specify an organization.
      host1(config-ipsec-identity)#organization juniperNetworks host1(config-ipsec-identity)#exit host1(config)#
  5. Generate a certificate request using certificate parameters from the IPsec identity configuration.
    host1(config)#ipsec certificate-request generate rsa myrequest.crq
  6. After the certificate request is generated, you need to copy the file from the router and send it to the CA. Typically, you copy the file and paste it to a CA's webpage.
  7. When you receive the certificate from the CA, copy the certificate to the router, and then inform the router that the new certificate exists.
    host1(config)#ipsec certificate-database refresh
  8. (Optional) Set the sensitivity of how the router handles CRLs.
    host1(config)#ipsec crl ignored
  9. (Optional) To delete RSA key pairs, use the ipsec key zeroize command.
    host1(config)#ipsec key zeroize rsa

authentication

common-name

country

domain-name

ike crl

ipsec certificate-database refresh

ipsec certificate-request generate

ipsec crl

ipsec identity

ipsec ike-policy-rule

ipsec isakmp-policy-rule

ipsec key generate

ipsec key zeroize

organization