[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Digital Certificates for Adaptive Services Interfaces

A digital certificate implementation uses the public key infrastructure (PKI), which requires you to generate a key pair consisting of a public key and a private key. The keys are created with a random number generator and are used to encrypt and decrypt data. In networks that do not use digital certificates, an IPSec-enabled device encrypts data with the private key and IPSec peers decrypt th data with the public key.

With digital certificates, the key sharing process requires an additional level of complexity. First, you and your IPSec peers request a certificate authority (CA) to send you a CA certificate that contains the public key of the CA. Next you request the CA to enroll a local digital certificate that contains the public key and some additional information. When the CA processes your request, it signs your local certificate with the private key of the CA. Then you install the CA certificate and the local certificate in your routing platform and load the CA in the remote devices before you can establish IPSec tunnels with your peers.

Note: For digital certificates, the JUNOS software supports VeriSign, Entrust, Cisco Systems, and Microsoft Windows CAs for the AS and MultiServices PICs.

To define digital certificates configuration for J-series Services Routers and Adaptive Services (AS) and MultiServices PICs installed on M-series and T-series routing platforms, include the following statements at the [edit security pki] hierarchy level:



[edit security]

pki {



ca-profile ca-profile-name {

ca-identity ca-identity;



enrollment {
 
url-name;

retry number-of-enrollment-attempts;

retry-interval seconds;
}





revocation-check {
disable;



crl {
disable on-download-failure;

refresh-interval number-of-hours;



url {

url-name;
password;
}


}


}


}


}

Note: For more information about how to configure IPSec for an adaptive services interface, see the “IPSec” chapter of the JUNOS Feature Guide and the “IPSec Services Configuration Guidelines” chapter of the JUNOS Services Interfaces Configuration Guide.

The following steps enable you to implement digital certificates on J-series Services Routers and AS and MultiServices PICs installed on M-series and T-series routing platforms:

[Contents] [Prev] [Next] [Index] [Report an Error]