 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
In a basic CA model, there is a single CA from which the ERX router obtains the root CA certificates and the router's public key certificates. The E-series router also supports CA hierarchies, which consist of a top-level root CA and one or more sub-CAs (also called issuing CAs).
In a CA hierarchy, the router obtains its public key certificates and the CA certificate from a sub-CA. The sub-CA's certificate is signed by the root CA.
This process creates a certificate chain of trust in which the E-series router must verify all certificates in the chain until the router reaches a trusted CA, such as the root CA. For example, if the router receives traffic from a peer with a certificate signed by a sub-CA, the router first verifies the sub-CA's signature on the peer's certificate, then verifies the sub-CA's certificate, which is signed by the trusted root CA.
The ERX router supports CA hierarchies consisting of the root CA and one level of sub-CAs. When using a CA hierarchy, the router authenticates and enrolls for its public certificate with the sub-CA. When you use the show ipsec ike-certificates command, the root CA and sub-CA certificates are listed as CA certificates, and the router's public certificates are signed by the sub-CA.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |