Configuring Digital Certificates Using the Offline Method

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x IP Services Configuration Guide > Configuring Digital Certificates > Configuring Digital Certificates Using the Offline Method
Configuring Digital Certificates Using the Offline Method

To use the offline method to set up digital certificates on the router:
Generate RSA key pairs.
host1(config)#ipsec key generate rsa 2048
Please wait.................................................
..........................
IPsec Generate Keys complete 
In your IKE policy, set the authentication method to RSA signatures.
host1(config)#ipsec ike-policy-rule 1
host1(config-ike-policy)#authentication rsa-sig
host1(config-ike-policy)#exit
host1(config)#
 NOTE: For more information about setting up IKE policies, see Defining an IKE Policy in Chapter 6, Configuring IPSec.



 
Enter IPSec Identity Configuration mode.
host1(config)#ipsec identity 
host1(config-ipsec-identity)#
Specify the information that the router uses to generate a certificate request.
Specify a country name.
host1(config-ipsec-identity)#country CA
Specify a common name.
host1(config-ipsec-identity)#common-name Jim 
Specify a domain name.
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
Specify an organization.
host1(config-ipsec-identity)#organization juniperNetworks
host1(config-ipsec-identity)#exit
host1(config)#
Generate a certificate request using certificate parameters from the IPSec identity configuration.
host1(config)#ipsec certificate-request generate rsa myrequest.crq
After the certificate request is generated, you need to copy the file from the router and send it to the CA. Typically, you copy the file and paste it to a CA's Web page.

When you receive the certificate from the CA, copy the certificate to the router, and then inform the router that the new certificate exists.
host1(config)#ipsec certificate-database refresh 
(Optional) Set the sensitivity of how the router handles CRLs.
host1(config)#ipsec crl ignored
(Optional) To delete RSA key pairs, use the ipsec key zeroize command.
host1(config)#ipsec key zeroize rsa
authentication
Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature.

Example
host1(config-ike-policy)#authentication rsa-sig
Use the no version to restore the default, preshared keys.
common-name
Use to specify a common name used to generate certificate requests.

Example
host1(config-ipsec-identity)#common-name Jim 
Use the no version to remove the common name.
country
Use to specify a country name used to generate certificate requests.

Example
host1(config-ipsec-identity)#country CA
Use the no version to remove the country name.
domain-name
Use to specify the domain name that the router uses in IKE authentication messages and to generate certificate requests.

The domain name is used in the SubjectAlternative DNS certificate extensions and as an FQDN (fully qualified domain name) ID payload for IKE negotiations.

Example
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
Use the no version to remove the domain name.
ike crl

Use to control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:

ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting

optional—If the router finds a valid CRL, it uses it; this is the default setting

required—Requires a valid CRL; either the certificates that belong to the E-series router or the peer must not appear in the CRL; this is the strictest setting
Example
host1(config)#ike crl ignored
Use the no version to return the CRL setting to the default, optional.

NOTE: This command has been replaced by the ipsec crl command and may be removed completely in a future release.
ipsec certificate-database refresh
Use to inform the ERX router that a public key certificate has been copied to the router. The router then verifies public certificates found on its disk against its private key and prepares the certificates for use.

NOTE: On reload, the router scans all certificate files and determines which files are router public certificates and which are root CA certificates.

Example
host1(config)#ipsec certificate-database refresh 
There is no no version.
ipsec certificate-request generate
Use to cause the router to generate a certificate request using certificate parameters from the IPSec identity configuration.

Include a name for the certificate request file. The file name must have a .crq extension.

After the router generates the certificate, use offline methods to send the certificate request file to the CA.

Example
host1(config)#ipsec certificate-request generate rsa myrequest.crq
There is no no version.
ipsec crl

Use to control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:

ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting

optional—If the router finds a valid CRL, it uses it; this is the default setting

required—Requires a valid CRL; either the certificates that belong to the E-series router or the peer must not appear in the CRL; this is the strictest setting
Example
host1(config)#ipsec crl ignored
Use the no version to return the CRL setting to the default, optional.

NOTE: This command replaces the ike crl command, which may be removed completely in a future release.
ipsec identity
Use to enter IPSec Identity Configuration mode in which you can specify information that the router uses in certificate requests and during negotiations with its peers.

Example
host1(config)#ipsec identity
host1(config-ipsec-identity)#
Use the no version to remove the identity configuration.
ipsec ike-policy-rule
Use to define an ISAKMP/IKE policy.

When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.

Example
host1(config)#ipsec ike-policy-rule 3
host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

NOTE: This command replaces the ipsec isakmp-policy-rule command, which may be removed completely in a future release.
ipsec isakmp-policy-rule
Use to define an ISAKMP/IKE policy.

When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.

Example
host1(config)#ipsec isakmp-policy-rule 3
host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.

NOTE: This command has been replaced by the ipsec ike-policy-rule command and may be removed completely in a future release.
ipsec key generate
Use to generate RSA key pairs. Include a length of either 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them.

Example
host1(config)#ipsec key generate rsa 2048
Please wait.................................................
..........................
IPsec Generate Keys complete 
There is no no version. To remove a key pair, use the ipsec key zeroize command.
ipsec key zeroize

Use to delete RSA key pairs. Include one of the following keywords:

rsa—Removes the RSA key pair from the router

pre-share—Removes all preshared keys from the router

all—Removes all keys within the VR context from the router
Example
host1(config)#ipsec key zeroize rsa
There is no no version.
organization
Use to specify the organization used in the Subject Name field of certificates.

Example
host1(config-ipsec-identity)#organization juniperNetworks
Use the no version to remove the organization name.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]