 |
Note: By default, this feature is not enabled unless configured explicitly. This means that a certificate that does not have auto-reenrollment configured will expire on its normal expiration date. |
Use the auto-re-enrollment statement to configure automatic reenrollment of a specified existing router certificate before its existing expiration date. This function automatically reenrolls the router certificate. The reenrollment process requests the certificate authority (CA) to issue a new router certificate with a new expiration date. The date of auto-reenrollment is determined by the following parameters:
|
Note: By default, this feature is not enabled unless configured explicitly. This means that a certificate that does not have auto-reenrollment configured will expire on its normal expiration date. |
The ca-profile statement specifies which CA will be contacted to reenroll the expiring certificate. This is the CA that issued the original router certificate.
The challenge-password statement provides the issuing CA with the router certificate’s password, as set by the administrator and normally obtained from the SCEP enrollment Web page of the CA. The password is 16 characters in length.
Optionally, the router certificate key pair can be regenerated by using the re-generate-keypair statement.
To configure the auto-re-enrollment statement and its properties, include the following statements at the [edit security pki] hierarchy level:
- [edit security pki]
- auto-re-enrollment {
-
-
certificate-id {
-
ca-profile ca-profile-name;
-
challenge-password password;
-
re-enroll-trigger-time percentage;
-
re-generate-keypair;
-
validity-period days;
- }
- }
percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent.
days is the number of days for the validity period. The range can be from 1 through 4095.
This section contains the following topics:
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |