Configuring Digital Certificates Using the Offline Method

To use the offline method to set up digital certificates on the router:

Generate RSA key pairs.
host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
In your IKE policy, set the authentication method to RSA signatures.
host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit host1(config)#
Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPsec.
Enter IPsec Identity Configuration mode.
host1(config)#ipsec identity host1(config-ipsec-identity)#
Specify the information that the router uses to generate a certificate request.
1. Specify a country name.
  host1(config-ipsec-identity)#country CA
2. Specify a common name.
  host1(config-ipsec-identity)#common-name Jim
3. Specify a domain name.
  host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
4. Specify an organization.
  host1(config-ipsec-identity)#organization juniperNetworks host1(config-ipsec-identity)#exit host1(config)#
Generate a certificate request using certificate parameters from the IPsec identity configuration.
host1(config)#ipsec certificate-request generate rsa myrequest.crq
After the certificate request is generated, you need to copy the file from the router and send it to the CA. Typically, you copy the file and paste it to a CA's Web page.
When you receive the certificate from the CA, copy the certificate to the router, and then inform the router that the new certificate exists.
host1(config)#ipsec certificate-database refresh
(Optional) Set the sensitivity of how the router handles CRLs.
host1(config)#ipsec crl ignored
(Optional) To delete RSA key pairs, use the ipsec key zeroize command.
host1(config)#ipsec key zeroize rsa

authentication

Use to specify the authentication method that the router uses. For digital certificates, the method is set to RSA signature.
Example
host1(config-ike-policy)#authentication rsa-sig
Use the no version to restore the default, preshared keys.
See authentication.

common-name

Use to specify a common name used to generate certificate requests.
Example
host1(config-ipsec-identity)#common-name Jim
Use the no version to remove the common name.
See common-name.

country

Use to specify a country name used to generate certificate requests.
Example
host1(config-ipsec-identity)#country CA
Use the no version to remove the country name.
See country.

domain-name

Use to specify the domain name that the router uses in IKE authentication messages and to generate certificate requests.
The domain name is used in the SubjectAlternative DNS certificate extensions and as an FQDN (fully qualified domain name) ID payload for IKE negotiations.
Example
host1(config-ipsec-identity)#domain-name myerx.kanata.junipernetworks.com
Use the no version to remove the domain name.
See domain-name.

ike crl

Use to control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:
- ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting
- optional—If the router finds a valid CRL, it uses it; this is the default setting
- required—Requires a valid CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting
Example
host1(config)#ike crl ignored
Use the no version to return the CRL setting to the default, optional.
Note: This command has been replaced by ipsec crl and may be removed completely in a future release.
See ike crl.

ipsec certificate-database refresh

Use to inform the ERX router that a public key certificate has been copied to the router. The router then verifies public certificates found on its disk against its private key and prepares the certificates for use.
Note: On reload, the router scans all certificate files and determines which files are router public certificates and which are root CA certificates.
Example
host1(config)#ipsec certificate-database refresh
There is no no version.
See ipsec certificate-database refresh.

ipsec certificate-request generate

Use to cause the router to generate a certificate request using certificate parameters from the IPsec identity configuration.
Include a name for the certificate request file. The file name must have a .crq extension.
After the router generates the certificate, use offline methods to send the certificate request file to the CA.
Example
host1(config)#ipsec certificate-request generate rsa myrequest.crq
There is no no version.
See ipsec certificate-request generate.

ipsec crl

Use to control how the router handles CRLs during negotiation of IKE phase 1 signature authentication. Specify one of the following keywords:
- ignored—Allows negotiations to succeed even if a CRL is invalid or the peer's certificate appears in the CRL; this is the most lenient setting
- optional—If the router finds a valid CRL, it uses it; this is the default setting
- required—Requires a valid CRL; either the certificates that belong to the E Series router or the peer must not appear in the CRL; this is the strictest setting
Example
host1(config)#ipsec crl ignored
Use the no version to return the CRL setting to the default, optional.
Note: This command replaces ike crl , which may be removed completely in a future release.
See ipsec crl.

ipsec identity

Use to enter IPsec Identity Configuration mode in which you can specify information that the router uses in certificate requests and during negotiations with its peers.
Example
host1(config)#ipsec identity host1(config-ipsec-identity)#
Use the no version to remove the identity configuration.
See ipsec identity.

ipsec ike-policy-rule

Use to define an ISAKMP/IKE policy.
When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
Example
host1(config)#ipsec ike-policy-rule 3 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
Note: This command replaces ipsec isakmp-policy-rule , which may be removed completely in a future release.
See ipsec ike-policy-rule.

ipsec isakmp-policy-rule

Use to define an ISAKMP/IKE policy.
When you enter the command, you include a number that identifies the policy and assigns a priority to the policy. You can number policies in the range 1–10000, with 1 having the highest priority.
Example
host1(config)#ipsec isakmp-policy-rule 3 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
Note: This command has been replaced by ipsec ike-policy-rule and may be removed completely in a future release.
See ipsec isakmp-policy-rule.

ipsec key generate

Use to generate RSA key pairs. Include a length of either 1024 or 2048 bits. The generated keys can be used only after the CA issues a certificate for them.
Example
host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
There is no no version. To remove a key pair, use the ipsec key zeroize command.
See ipsec key generate.

ipsec key zeroize

Use to delete RSA key pairs. Include one of the following keywords:
- rsa—Removes the RSA key pair from the router
- pre-share—Removes all preshared keys from the router
- all—Removes all keys within the VR context from the router
Example
host1(config)#ipsec key zeroize rsa
There is no no version.
See ipsec key zeroize.

organization

Use to specify the organization used in the Subject Name field of certificates.
Example
host1(config-ipsec-identity)#organization juniperNetworks
Use the no version to remove the organization name.
See organization.