 |
Note: The name of the file sent to you by the CA might not match the name of the certificate identifier. However, the certificate-id name must always match the name of the key pair you generated for the routing platform. |
Generate a local certificate request manually and send it to the CA for processing:
- user@host> request security pki generate-certificate-request
certificate-id local-entrust2 domain-name router2.juniper.net filename
entrust-req2
- subject cn=router2.juniper.net
Generated certificate request -----BEGIN CERTIFICATE REQUEST----- MIIBoTCCAQoCAQAwGjEYMBYGA1UEAxMPdHAxLmp1bmlwZXIubmV0MIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQCiUFklQws1Ud+AqN5DDxRs2kVyKEhh9qoVFnz+ Hz4c9vsy3B8ElwTJlkmIt2cB3yifB6zePd+6WYpf57Crwre7YqPkiXM31F6z3YjX H+1BPNbCxNWYvyrnSyVYDbFj8o0Xyqog8ACDfVL2JBWrPNBYy7imq/K9soDBbAs6 5hZqqwIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjAOBgNVHQ8BAf8EBAMCB4AwJAYD VR0RAQH/BBowGIIWdHAxLmVuZ2xhYi5qdW5pcGVyLm5ldDANBgkqhkiG9w0BAQQF AAOBgQBc2rq1v5SOQXH7LCb/FdqAL8ZM6GoaN5d6cGwq4bB6a7UQFgtoH406gQ3G 3iH0Zfz4xMIBpJYuGd1dkqgvcDoH3AgTsLkfn7Wi3x5H2qeQVs9bvL4P5nvEZLND EIMUHwteolZCiZ70fO9Fer9cXWHSQs1UtXtgPqQJy2xIeImLgw== -----END CERTIFICATE REQUEST----- Fingerprint: 0d:90:b8:d2:56:74:fc:84:59:62:b9:78:71:9c:e4:9c:54:ba:16:97 (sha1) 1b:08:d4:f7:90:f1:c4:39:08:c9:de:76:00:86:62:b8 (md5)
The trusted CA digitally signs the local certificate and returns it to you. Copy the certificate file into the routing platform and load the certificate:
- user@host> request security pki local-certificate
load filename /tmp/router2-cert certificate-id
local-entrust2
- Local certificate local-entrust2 loaded successfully
|
Note: The name of the file sent to you by the CA might not match the name of the certificate identifier. However, the certificate-id name must always match the name of the key pair you generated for the routing platform. |
After the local and CA certificates have been loaded, you can reference them in your IPSec configuration. Using default values in the AS and MultiServices PICs, you do not need to configure an IPSec proposal or an IPSec policy. However, you must configure an IKE proposal that specifies the use of digital certificates, reference the IKE proposal and locate the certificate in an IKE policy, and apply the CA profile to the service set.
For more information about how to configure an IKE proposal for an AS PIC or MultiServices PIC, see the “IPSec Services Configuration Guidelines” chapter in the JUNOS Services Interfaces Configuration Guide.
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |