 |
Note: We recommend that you become familiar with PKI and digital certificates before implementing this feature on a Services Router. For white papers about digital certificates and additional information about PKI, see the following Web sites:
|
The IPSec implementation in the Services Router allows you to use one of two authentication methods: preshared keys or digital certificates.
When you configure IPSec for secure communications in the network, the peer devices in the network must have at least one common authentication method. Only one authentication method can be used between a pair of devices, regardless of the number of authentication methods configured.
Preshared keys are secret passwords shared by the peer devices in an IPSec-enabled network. You must configure these keys on each Services Router in the network before any communication can take place. You can configure the preshared keys on each device manually and use protocols such as IKE to manage the keys dynamically.
Certificates are digital identifiers that validate the authenticity of an individual or a device. A digital certificate implementation uses the public key infrastructure (PKI), which requires you to generate a key pair consisting of a public key and a private key. Certificates are issued by certificate authorities (CAs), which are public or private organizations that manage a PKI.
The main function of a digital certificate is to associate a device or user with a public-private key pair. Digital certificates also verify the authenticity of data and indicate privileges and roles within secure communication. A digital certificate consists of data that definitively identifies an individual, system, company, or organization. In addition to identification data, the digital certificate contains a serial number, a copy of the certificate holder’s public key, the identity and digital signature of the issuing CA, and an expiration date.
|
Note: We recommend that you become familiar with PKI and digital certificates before implementing this feature on a Services Router. For white papers about digital certificates and additional information about PKI, see the following Web sites:
|
During the course of business, circumstances such as the following cause a certificate to become invalid before the validity period expires:
When events like these occur, the CA revokes or suspends a certificate. Revoked certificates are permanently deactivated, whereas suspended certificates can be reactivated later. Each CA periodically issues a list of revoked certificates, called Certificate Revocation Lists (CRLs). Each revoked certificate is identified in a CRL by the serial number of the certificate. You can automatically access the CA's CRL online at daily, weekly, or monthly intervals or at the default interval set by the CA.
You can configure the Services Router to check the CRLs at specified intervals to verify the validity of certificates. You can download CRLs either automatically using the Lightweight Directory Access Protocol (LDAP) or manually. Only Microsoft and Entrust CAs are supported. For more information about configuring CRLs, see the JUNOS Services Interfaces Configuration Guide.