[Contents] [Prev] [Next] [Index] [Report an Error]

Generating and Enrolling a Local Digital Certificate

Each router is initially enrolled manually with the CA and then obtains the router certificate for its identity. This certificate is sent to the remote peer router during the Internet Key Exchange (IKE) negotiation.

You can generate and enroll a local digital certificate in the CLI operational mode only. To generate and enroll a local digital certificate:

  1. Enter the CLI operational mode.
  2. Perform the tasks described in Table 35.
  3. Go on to Loading a Digital Certificate on a Services Router.

Table 35: Generating and Enrolling a Local Certificate

Generate a local digital certificate.

Certificate ID—Unique ID used to identify all of the related key pairs, certificates, and PKCS-10 certificate request files.

CA profile—Name of the configured certificate authority profile.

Subject—Common name, department, organizational unit name, company name, state, and country for the digital certificate.

Domain name—Fully qualified domain name that identifies the certificate owner during IKE negotiations.

Challenge password—Password used by the CA for certificate enrollment and revocation.

IP address (Optional)—IP address if the Services Router has a static IP address.

Validity start time (Optional)—Length of time that a certificate is valid.

Enter

request security pki local-certificate enroll certificate-id certificate-id

Enter

request security pki local-certificate enroll ca-profile ca-profilesubject subject-distinguished-name domain-name domain-name challenge-password challenge-password ip-address ip-address validity-start-time start-time validity-end-time end-time

[Contents] [Prev] [Next] [Index] [Report an Error]

[an error occurred while processing this directive]