[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Generating and Enrolling a Local Digital Certificate

Each Services Router is initially enrolled manually with the CA and then obtains the router certificate for its identity. This certificate is sent to the remote peer router during the Internet Key Exchange (IKE) negotiation.

You can generate and enroll a local digital certificate in the CLI operational mode only. To generate and enroll a local digital certificate:

  1. Enter the CLI operational mode.
  2. Perform the tasks described in Table 44.
  3. Go on to Loading a Digital Certificate on a Services Router.

Table 44: Generating and Enrolling a Local Certificate

Task

CLI Operational Mode

Generate a local digital certificate.

The certificate has the following parameters:

  • Certificate ID—Unique ID used to identify all of the related key pairs, certificates, and PKCS-10 certificate request files—for example, local-verisign
  • CA profile—Name of the configured certificate authority profile—for example, ca-profile-ipsec
  • Subject—Common name (CN), department or organizational unit name (OU), company name (O), state (ST), and country (C)for the digital certificate
  • Domain name—Fully qualified domain name that identifies the certificate owner during IKE negotiations
  • Challenge password—Password used by the CA for certificate enrollment and revocation
  • IP address (Optional)—IP address if the Services Router has a static IP address
  • Validity start time (Optional)—Length of time that a certificate is valid

Enter

request security pki local-certificate enroll certificate-id local-verisign

Enter

request security pki local-certificate enroll ca-profile ca-profile-ipsec subject subject-distinguished-name domain-name domain-name challenge-password challenge-password ip-address ip-address validity-start-time start-time validity-end-time end-time

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]