Appendix C: DoD PKI Usage

The USA Federal Government Department of Defense (DoD) maintains a public key infrastructure (PKI) used by many entities, including the military.

• DoD PKI Introduction
• DoD PKI Setup
• Setting Up IKE Using DoD PKI Certificates

DoD PKI Introduction

DoD PKI uses a custom PKI solution based on the Netscape iPlanet certificate authority (CA) server. Although Junos does not officially support Netscape iPlanet CA, it provides support to an extent required for DoD PKI. This custom PKI solution includes its own certificate profiles and security policies which may differ from other CAs.

You must analyze the DoD PKI profile to understand the requirements for operating with DoD PKI. Here is the summary of the features of DoD PKI:

• The DoD PKI is composed of a 3-layer certificate hierarchy and includes
  • Root CA — JITC DoD PKI Class 3 Root CA
  • Subordinate CA — JITC DoD PKI Class 3 ID CA. The subordinate CA issues all end-entity certificates.

    Note: A server certificate (which the Junos device acquires) does not have a SubjectAlternativeName extension field (example — Certificate acquired through an e-mail). A server certificate acquired by NS Remote client, will normally have a SubjectAlternativeName field containing an Internet Key Exchange (IKE) ID type of e-mail.

• The DN of all DoD PKI certificates can have multiple OU fields.

  A server certificate issued by DoD PKI has the DN form that includes the following fields:

  • CN=server <DNS name or IP>
  • OU=<military/government organization>
  • OU=PKI
  • OU=DoD
  • O=US. Government
  • C=US

  A user certificate has the DN form that includes the following fields:

  • Last Name
  • First Name
  • Middle Initial or Name (optional)
  • Generation (Jr., Sr., II, III, and so forth) (optional)
  • E-mail address
  • Organization (military/government or contractor)
  • City
  • State
  • Country
• The CA certificates can be downloaded from http://dodpki.c3pki.chamb.disa.mil/rootca.html. A certificate can be downloaded as two separate CA certificates (the root CA and the subordinate CA), or as a single PKCS7 envelope containing both.
• The root CRL is updated approximately every 30 days, where as the ID CRL is automatically updated every 24 hours. The CRL distribution point is in the CA certificate with attributes of certificaterevocationlist;binary. There is no scope or filter defined in the LDAP URL.

Junos OS needs to support multiple fields in order to interoperate with DoD PKI, It must support multiple OU fields to comply with the DN convention of the DoD PKI. Because Junos OS already supports multiple OU entries, this can be specified when generating a PKCS10 certificate request by adding multiple OU objects in the subject as shown in the example below:

request security pki generate-certificate-request certificate-id test hostname
user@idca.nit.disa.mil subject "CN=idca.nit.disa.mil,OU=DISA,OU=PKI,OU=DoD,
O=U.S. Government,C=US"

This requirement is not limited to just the OU or O fields of the DN, but also applies to all fields including S, L, and Country.

Note the following points about DoD PKI: DoD PKI supports a CRL Lightweight Directory Access Protocol (LDAP) search with default attributes and filters. The LDAP URL of the DoD PKI does not provide filters or a scope. DoD PKI supports certificate chaining and multilayer CRL verification. DoD PKI is a 2-layer CA hierarchy that is composed of a root CA and subordinate CA. DoD PKI supports DN as a peer gateway IKE ID type. Junos OS supports distinguished name as the IKE ID of a static or dynamic peer gateway. DoD PKI allows disabling of CRL-checking for easier viewing of debugging. Junos OS also supports this feature in ca-profile settings.

DoD PKI Setup

This section provides some notes on IKE configuration based on DoD PKI authentication. For more information, see DoD PKI Introduction.

• The DoD PKI uses a 2-tiered hierarchy of CAs; the device certificates are considered as a third or bottom tier. There are a couple of subordinate CAs and a root CA. You should retrieve and load the certificates for all these CAs in the Junos device.
• The DoD PKI supports one common name (CN) field in the DN.
• The DoD PKI requires multiple OU fields. The Junos device also supports multiple OU fields.
• You can download the DoD CRL files, or you can automatically use LDAP to retrieve the CRL. If you do use LDAP, make sure you have DNS set on the Junos device. This is required to resolve the name of the LDAP server. You can verify the connection by initiating the ping command from a Junos device to an LDAP server.
• The CRL file can be larger than 20 KB. Junos devices support up to 5 MB for the CRL.

Setting Up IKE Using DoD PKI Certificates

These steps are required to allow the Junos device to support Internet Key Exchange (IKE) tunnels based on DoD PKI authentication.

To set up an IKE using the DoD PKI certifications:

• Set up the IKE gateway by choosing a proposal which uses an RSA algorithm.

  Note: You must specify a distinguished name as the IKE ID. Since the DoD PKI certificates do not support the SubjectAlternativeName V3 extensions, the default FQDN (hostname + domain name) may not work.

• In the IKE gateway configuration, select the appropriate preferred local certificate, and peer CA certificate. The peer type can be X.509 or PKCS7. Select the X.509 peer type. If the tunnels do not work, then try the other format.

Related Topics

• Introduction to PKI in Junos OS
• Example: Configuring the PKI in Junos OS
• Verifying the PKI Configuration
• Appendix A: Frequently Asked Questions
• Glossary of PKI Related Terms