Digital Certificates Configuration Overview

Digital certificates authenticate your identity when establishing secure virtual private network (VPN) connections.

To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:

• Obtain a certificate authority (CA) certificate from which you intend to obtain a personal certificate, and then load the CA certificate onto the device.

  The CA certificate can contain a certificate revocation list (CRL) to identify invalid certificates.

• Obtain a local certificate (also known as a personal certificate) from the CA whose CA certificate you have previously loaded, and then load the local certificate in the device. The local, or end-entity (EE), certificate establishes the identity of the Juniper Networks device with each tunnel connection.

You can obtain CA and local certificates manually, or online using the Simple Certificate Enrollment Protocol (SCEP). Certificates are verifiable and renewable, and you can delete them when they are no longer needed.

This topic includes the following sections:

• Enabling Digital Certificates Online: Configuration Overview
• Manually Generating Digital Certificates: Configuration Overview
• Verifying the Validity of a Certificate: Configuration Overview
• Deleting a Certificate: Configuration Overview

Enabling Digital Certificates Online: Configuration Overview

SCEP uses the online method to request digital certificates. To obtain a certificate online:

1. Generate a key pair in the device. See Example: Generating a Public-Private Key Pair (CLI).
2. Create a CA profile containing information specific to a CA. You can have multiple CA profiles on the device. For example, you might have one profile for Microsoft and one for Entrust. See Example: Configuring a Certificate Authority Profile (CLI).
3. Enroll the CA certificate onto the device. See Enrolling a CA Certificate Online (CLI Procedure).
4. Obtain a local certificate (also known as a personal certificate) online from the CA whose CA certificate you have previously loaded. See Example: Enrolling a Local Certificate Online (CLI).
5. Configure automatic reenrollment. See Example: Configuring SecurID User Authentication.

Manually Generating Digital Certificates: Configuration Overview

To obtain digital certificates manually:

1. Generate a key pair in the device. See Example: Generating a Public-Private Key Pair (CLI).
2. Create a CA profile containing information specific to a CA. You can have multiple CA profiles on the device. For example, you might have one profile for Microsoft and one for Entrust. See Example: Configuring a Certificate Authority Profile (CLI).
3. Generate a certificate request using the key pair, and manually copy that request and paste it into the appropriate field at the CA website to obtain a personal certificate (also known as a local certificate). See Example: Generating a Local Certificate Request Manually (CLI).
4. Load the certificate onto the device. See Example: Loading CA and Local Certificates Manually (CLI).
5. Configure automatic reenrollment. See Example: Configuring SecurID User Authentication.
6. If necessary, load the certificate's CRL on the device. See Example: Manually Loading a CRL onto the Device (CLI).

Verifying the Validity of a Certificate: Configuration Overview

To verify the validity of a certificate manually, see Example: Verifying Certificate Validity (CLI).

Deleting a Certificate: Configuration Overview

To delete a certificate or a certificate revocation list (CRL), see Deleting Certificates (CLI Procedure) and Deleting a Loaded CRL (CLI Procedure).

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding Certificates
• Understanding Certificate Revocation Lists
• Understanding Public Key Infrastructure
• Understanding Self-Signed Certificates