Configuring a Local Certificate

When you configure authentication-method rsa-signatures at the [edit services ipsec-vpn ike proposal proposal-name] hierarchy level, public key infrastructure (PKI) digital certificates authenticate peers; for more information, see Configuring an IKE Authentication Method. You must identify a local certificate that is sent to the peer during the IKE authentication phase.

To configure a IKE policy local certificate, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level:

The local-certificate statement specifies the identifier used to obtain the end entity’s certificate from the certification authority. Configuring it in an IKE policy allows you the flexibility of using a separate certificate with each remote peer if that is needed. You must also specify the identity of the certification authority by configuring the ca-profile statement at the [edit security pki] hierarchy level; for more information, see the JUNOS System Basics Configuration Guide. For complete examples of digital certificate configuration, see the JUNOS Feature Guide.

You can use the configured profiles to establish a set of trusted certification authorities for use with a particular service set. This enables you to configure separate service sets for individual clients to whom you are providing IP services; the distinct service sets provide logical separation of one set of IKE sessions from another, using different local gateway addresses, or virtualization. To configure the set of trusted certification authorities, include the trusted-ca statement at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level:

For more information, see Configuring IPSec Options.

Configuring a Certificate Revocation List

A certificate revocation list (CRL) contains a list of digital certificates that have been cancelled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL.

Note: By default, certificate revocation list verification is enabled. You can disable CRL verification by including the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. By default, if the router either cannot access the Lightweight Directory Access Protocol (LDAP) URL or retrieve a valid certificate revocation list, certificate verification fails and the IPSec tunnel is not established. To override this behavior and permit the authentication of the IPSec peer when the CRL is not downloaded, include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level.

To use the CA certificate revocation list, you include statements at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level. For details, see the JUNOS System Basics Configuration Guide.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.