[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring a CA Profile with a Configuration Editor

The CA profile contains the name and the URL of the CA as well as a public key and additional information. The sample configuration in Table 41 configures a CA profile ca-profile-ipsec.

To configure a CA profile:

  1. Navigate to the top of the configuration hierarchy in either the J-Web or CLI configuration editor..
  2. Perform the tasks described in Table 41.
  3. Go on to Requesting a CA Certificate from a CA.

Table 41: Configuring a CA Profile

Task

J-Web Configuration Editor

CLI Configuration Editor

Navigate to the Security>Pki level in the configuration hierarchy.

  1. In the J-Web interface, select Configuration>View and Edit>Edit Configuration.
  2. Next to Security, click Configure or Edit.
  3. Next to Pki, select the check box, and click Configure.

From the [edit] hierarchy level, enter

edit security pki

Add a new CA profile to the Services Router.

  1. Next to Ca profile, click Add new entry.

Enter

set ca-profile ca-profile-ipsec ca-identity verisign

Configure the profile name and the CA authority identification—for example, ca-profile-ipsec and versign.

  1. In the Ca profile name box, type ca-profile-ipsec.
  2. In the Ca identity box, type verisign.

Configure the following enrollment options:

  • Enrollment retry—Number of attempts at online enrollment with the CA profile to allow for a router certificate, if enrollment fails—for example, 10. The range is from 0 through 100 attempts.
  • Enrollment retry-interval—Length of time, in seconds, to allow between enrollment attempts—for example, 60. The range is from 0 through 3600 seconds.
  • Enrollment URL—URL where the Simple Certificate Enrollment Protocol (SCEP) request is sent to the certification authority configured in this profile—for example, http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe.
  1. Next to Enrollment, click Configure.
  2. In the Retry box, type 10.
  3. In the Retry interval box, type 60.
  4. In the Url box, type http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe.
  5. Click OK twice.

Enter

set ca-profile ca-profile-ipsec enrollment retry 10 retry-interval 60 url http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe

Configure the following automatic-re-enrollment options:

  • Certificate ID—Specify the certificate authority (CA) certificate to use for automatic re-enrollment.
  • Challenge password—Specify the password used by the certificate authority (CA) for enrollment and revocation.
  • Re-enroll trigger time percentage—Specify the certificate re-enrollment time as a percentage of the time left before expiration. For example, to start re-enrollment when 10 percent of the certificate time remains, specify 10 percent.
  • Validity period—Specify the number of days during which the re-enrolled certificate is valid—For example, 2015. The range is from 1 through 4095 days.
  1. Next to Auto re enrollment, click Configure.
  2. Next to Certificate id, click Add new entry.
  3. In the Certificate id name box, type cert1 .
  4. In the Ca profile name box, type ca-profile-ipsec.
  5. In the Challenge password box, type ####.
  6. In the Re enroll trigger time percentage box, type 10.
  7. In the Validity period box, type 2015.
  8. Click OK until you return to the main Configuration page.

Enter

set auto-re-enrollment certificate-id cert1 challenge-password #### re-enroll-trigger-time-percentage 10 validity-period 2015


[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]