JUNOSe 9.1.x IP Services Configuration Guide > Configuring Digital Certificates > Configuring Digital Certificates Using the Online Method

Configuring Digital Certificates Using the Online Method

To use the online configuration method to set up digital certificates on the router:

1. Generate the RSA key pair.

host1(config)#ipsec key generate rsa 2048

Please wait.................................................

..........................

IPsec Generate Keys complete 

2. In your IKE policy, set the authentication method to RSA signatures.

host1(config)#ipsec ike-policy-rule 1

host1(config-ike-policy)#authentication rsa-sig

host1(config-ike-policy)#exit

 NOTE:  For more information about setting up IKE policies, see Defining an IKE Policy in Chapter 6, Configuring IPSec.



 

3. Enter IPSec CA Identity Configuration mode, and specify the name of the certificate authority.

host1(config)#ipsec ca identity trustedca1

host1(config-ca-identity)#

4. Specify the name of the CA issuer.

host1(config-ca-identity)#issuer-identifier BetaSecurityCorp

5. Specify the URL of the SCEP server from which the CA certificates and the router's public certificates is retrieved.

host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl

6. (Optional) Set the sensitivity of how the router handles CRLs.

host1(config-ca-identity)#crl ignored

7. (Optional) Specify the wait period between certificate request retries.

host1(config-ca-identity)#enrollment retry-period 5

8. (Optional) Specify the absolute time limit on enrollment.

host1(config-ca-identity)#enrollment retry-limit 60

9. (Optional) Specify the URL of your network's HTTP proxy server.

host1(config-ca-identity)#root proxy url http://192.168.5.45

host1(config-ca-identity)#exit

10. Retrieve the CA certificate.

host1(config)#ipsec ca authenticate trustedca1

11. Enroll with the CA and retrieve the router's certificate from the CA.

host1(config)#ipsec ca enroll trustedca1 My498pWd

12. (Optional) To delete RSA key pairs, use the ipsec key zeroize command.

authentication

• Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature.
• Example

host1(config-ike-policy)#authentication rsa-sig

• Use the no version to restore the default, preshared keys.

crl

• Use to control how the router handles certificate revocation lists (CRLs) during negotiation of online IKE phase 1 signature authentication. Specify one of the following keywords:

• ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting
• optional—If the router finds a valid CRL, it uses it; this is the default setting
• required—Requires a valid CRL; either the certificates that belong to the E-series router or the peer must not appear in the CRL; this is the strictest setting

• Example

host1(config-ca-identity)#crl ignored

• Use the no version to return the CRL setting to the default, optional.

enrollment retry-limit

• Use to set the time period during which the router continues to send a certificate request to the CA. You can specify a time period in the range 0–480 minutes, with 0 specifying an infinite time period.
• Example

host1(config-ca-identity)#enrollment retry-limit 200

• Use the no version to restore the default of 60 minutes.

enrollment retry-period

• Use to set the number of minutes that the router waits after receiving no response before resending a certificate request to the CA. You can specify a wait period in the range 0–60 minutes.
• Example

host1(config-ca-identity)#enrollment retry-period 40

• Use the no version to restore the default, 1 minute.

enrollment url

• Use to specify the URL of the SCEP server, in the format http://server_ipaddress. You can then use the ipsec ca authentication command to retrieve CA certificates from the SCEP server, and the ipsec ca enroll command to retrieve the router's public key certificates from the server.
• Example

host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl

• Use the no version to delete the enrollment URL specification.

ipsec ca authenticate

• Use to retrieve the specified CA's certificate. If authentication is successful, the fingerprint is sent, and an ikeEnrollment message is logged at severity info.
• The CA must be previously declared by the ipsec ca identity command.
• Example

host1(config)#ipsec ca authenticate trustedca1 

host1(config)#INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA 
certificate for ca:trustedca1

INFO 10/18/2003 03:45:16 ikeEnrollment (): Received CA certificate for 
ca:trustedca1 fingerprint:28:19:ba:76:d8:e0:bb:22:60:cd:b9:2d:dc:b8:58:01

host1(config)#

• Use the no ipsec ca identity command for the specified CA, or boot the router using the factory defaults to remove the CA certificate that was generated during the online configuration.
• There is no no version.

ipsec ca enroll

• Use to enroll with the specified CA and to retrieve the router's public key certificate during online digital certificate configuration. If enrollment is successful, the CA sends the certificate to the router and logs an ikeEnrollment message is logged at severity info.
• Use the password option, if required by the CA, to access the CA and enable enrollment.
• The CA must be previously declared by the ipsec ca identity command.
• Example

host1(config)#ipsec ca enroll trustedca1 My498pWd

host1(config)#INFO 10/18/2003 03:49:33 ikeEnrollment (): Received erx 
certificate for ca:trustedca1

host1(config)#

• Use the no ipsec ca identity command for the specified CA or boot the router using the factory defaults to remove the router's public certificate that was generated during the online configuration.
• There is no no version.

ipsec ca identity

• Use to specify the CA that the ERX router uses for online certificate requests and to enter IPSec Identity Configuration mode.
• In IPSec Identity Configuration mode you specify information that the router uses in certificate requests and during negotiations with its peers.
• Example

host1(config)#ipsec ca identity trustedca1

host1(config-ipsec-identity)#

• Use the no version to remove the identity configuration.

ipsec ike-policy-rule

• Use to define an ISAKMP/IKE policy.
• When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
• Example

host1(config)#ipsec ike-policy-rule 3

host1(config-ike-policy)#

• Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
  

  NOTE: This command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.

  
  

ipsec isakmp-policy-rule

• Use to define an ISAKMP/IKE policy.
• When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
• Example

host1(config)#ipsec isakmp-policy-rule 3

host1(config-ike-policy)#

• Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
  

  NOTE: This command has been replaced by the ipsec ike-policy-rule command and may be removed completely in a future release.

  
  

ipsec key generate

• Use to generate RSA key pairs. Include a length of either 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them.
• Example

host1(config)#ipsec key generate rsa 2048

Please wait.................................................

..........................

IPsec Generate Keys complete 

• There is no no version. To remove a key pair, use the ipsec key zeroize command.

ipsec key zeroize

• Use to delete RSA key pairs. Include one of the following keywords:

• rsa—Removes the RSA key pair from the router
• pre-share—Removes all preshared keys from the router
• all—Removes all keys within the VR context from the router

• Example

host1(config)#ipsec key zeroize rsa

• There is no no version.

issuer-identifier

• Use to specify the name of the CA issuer for online digital certificate configuration. The identifier and the enrollment URL specified by the enrollment url command are used together to create the CA authentication requests.
• Example

host1(config-ca-identity)#issuer-identifier BetaSecurityCorp

• Use the no version to remove the name from the configuration.

root proxy url

• Use to specify an HTTP proxy server that can submit HTTP requests on the E-series router's behalf to retrieve the root CA certificate. Use this command if your network has an HTTP proxy server installed between the E-series router and the Internet. Use the format http://server_ipaddress to specify the URL of the proxy server.
• Example

host1(config-ca-identity)#root proxy url http://192.168.5.45

• Use the no version to remove the root proxy URL from the configuration.