 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
Certification authorities can issue certificates to other CAs. This creates a tree-like certification hierarchy. The highest trusted CA in the hierarchy is called the trust anchor. Sometimes the trust anchor is the root CA, which is usually signed by itself. In the hierarchy, every certificate is signed by the CA immediately above it. An exception is the root CA certificate, which is usually signed by the root CA itself. In general, a chain of multiple certificates may be needed, comprising a certificate of the public key owner (the end entity) signed by one CA, and zero or more additional certificates of CAs signed by other CAs. Such chains, called certification paths, are required because a public key user is only initialized with a limited number of assured CA public keys.
Path length refers to a path of certificates from one certificate to another certificate, based on the relationship of a CA and its “ children” . When you configure the path length statement, you specify the maximum depth of the hierarchy to validate a certificate from the trusted root CA certificate to the certificate in question. For more information about the certificate hierarchy, see RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
By default, the maximum certificate path length is set to 15. The root anchor is 1.
To configure path length, include the path-length statement at the [edit security certificates] hierarchy level:
- [edit security certificates]
-
path-length certificate-path-length;
certificate-path-length is the maximum number certificates for the certificate path length. The range is from 2 through 15 certificates.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |