[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring Digital Certificates for Adaptive Services Interfaces

A digital certificate implementation uses the public key infrastructure (PKI), which requires that you generate a key pair consisting of a public key and a private key. The keys are created with a random number generator and are used to encrypt and decrypt data. In networks that do not use digital certificates, an IPsec-enabled device encrypts data with the private key and IPsec peers decrypt the data with the public key.

With digital certificates, the key sharing process requires an additional level of complexity. First, you and your IPsec peers request that a certificate authority (CA) send you a CA certificate that contains the public key of the CA. Next you request that the CA enroll you a local digital certificate that contains the public key and some additional information. When the CA processes your request, it signs your local certificate with the private key of the CA. Then you install the CA certificate and the local certificate in your router and load the CA in remote devices before you can establish IPsec tunnels with your peers.

Note: For digital certificates, the JUNOS Software supports VeriSign, Entrust, Cisco Systems, and Microsoft Windows CAs for the AS and MultiServices PICs.

To define digital certificates configuration for J Series Services Routers and Adaptive Services (AS) and MultiServices PICs installed on M Series and T Series routers, include the following statements at the [edit security pki] hierarchy level:

[edit security]pki {ca-profile ca-profile-name {ca-identity ca-identity;enrollment { url-name;retry number-of-enrollment-attempts;retry-interval seconds;}revocation-check {disable;crl {disable on-download-failure;refresh-interval number-of-hours;url {url-name;password;}}}}}

The following tasks enable you to implement digital certificates on J Series Services Routers and AS and MultiServices PICs installed on M Series and T Series routers:

  1. Configuring the Certificate Authority Properties
  2. Configuring the Certificate Revocation List
  3. Managing Digital Certificates
  4. Configuring the Auto-Reenrollment Properties for Automatic Renewal of the Router Certificate from the CA

Configuring the Certificate Authority Properties

A CA is a trusted third-party organization that creates, enrolls, validates, and revokes digital certificates.

To configure a certificate authority and its properties for the AS and MultiServices PICs, include the following statements at the [edit security pki] hierarchy level:

[edit security pki]ca-profile ca-profile-name {ca-identity ca-identity;enrollment {url url-name;retry number-of-attempts;retry-interval seconds;}}

Tasks for configuring the Certificate Authority properties are:

  1. Specifying the CA Profile Name
  2. Specifying an Enrollment URL
  3. Specifying the Enrollment Properties

Specifying the CA Profile Name

The CA profile contains the name and URL of the CA or RA, as well as some retry-timer settings. CA certificates issued by Entrust, VeriSign, Cisco Systems, and Microsoft are compatible with the J Series Services Routers and AS and MultiServices PICs installed in the M Series and T Series routers.

To specify the CA profile name, include the ca-profile statement at the [edit security pki] security level:

[edit security pki]ca-profile ca-profile-name;

You also need to specify the name of the CA identity used in the certificate request. This name is typically the domain name. To specify the name of the CA identity, include the ca-identity statement at the [edit security pki ca-profile ca-profile-name] level:

[edit security pki ca-profile ca-profile-name]ca-identity ca-identity;

Specifying an Enrollment URL

You specify the CA location where your router should send the SCEP-based certificate enrollment requests. To specify the CA location by naming the CA URL, include the url statement at the [edit security pki enrollment] hierarchy level:

[edit security pki ca-profile ca-profile-name enrollment]url url-name;

url-name is the CA location. The format is http://CA_name, where CA_name is the CA host DNS name or IP address.

Specifying the Enrollment Properties

You can specify the number of times a router will resend a certificate request and the amount of time, in seconds, the router should wait between enrollment attempts.

By default, the number of enrollment retries is set to 0, an infinite number of retries. To specify how many times a router will resend a certificate request, include the retry number-of-attempts statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level:

[edit security pki ca-profile ca-profile-name enrollment]retry number-of-attempts;

The range for number-of-attempts is from 0 through 100.

To specify the amount of time, in seconds that a router should wait between enrollment attempts, include the retry-interval seconds statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level:

[edit security pki ca-profile ca-profile-name enrollment]retry-interval seconds;

The range for seconds is from 0 through 3600.

Configuring the Certificate Revocation List

Tasks to configure the certificate revocation list are:

  1. Specifying an LDAP URL
  2. Configuring the Interval Between CRL Updates
  3. Overriding Certificate Verification if CRL Download Fails

Specifying an LDAP URL

You can specify the URL for the Lightweight Directory Access Protocol (LDAP) server where your CA stores its current CRL. If the CA includes the Certificate Distribution Point (CDP) in the digital certificate, you do not need to specify a URL for the LDAP server. The CDP is a field within the certificate that contains information about how to retrieve the CRL for the certificate. The router uses this information to download the CRL automatically.

Configure an LDAP URL if you want to use a different CDP from the one specified in the certificate. Any LDAP URL you configure takes precedence over the CDP included in the certificate.

You can configure up to three URLs for each CA profile.

If the LDAP server requires a password to access the CRL, you need to include the password statement.

To configure the router to retrieve the CRL from the LDAP server, include the url statement and specify the URL name at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level:

[edit security pki ca-profile ca-profile-name revocation-check crl]url {url-name;}

url-name is the certificate authority LDAP server name. The format is ldap://server-name, where server-name is the CA host DNS name or IP address.

To specify to use a password to access the CRL, include the password statement at the [edit security pki ca-profile ca-profile-name revocation-check crl url] hierarchy level:

[edit security pki ca-profile ca-profile-name revocation-check crl url]password password;

password is the secret password that the LDAP server requires for access.

Configuring the Interval Between CRL Updates

By default, the time interval between CRL updates is 24 hours. To configure the amount of time between CRL updates, include the refresh-interval statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level:

[edit security pki ca-profile ca-profile-name revocation-check crl]refresh-interval number-of-hours;

The range for number of hours is from 0 through 8784.

Overriding Certificate Verification if CRL Download Fails

By default, if the router either cannot access the LDAP URL or retrieve a valid certificate revocation list, certificate verification fails and the IPsec tunnel is not established. To override this behavior and permit the authentication of the IPsec peer when the CRL is not downloaded, include the disable on-download-failure statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level:

[edit security pki ca-profile ca-profile-name revocation-check crl]disable on-download-failure;

Managing Digital Certificates

After you configure the CA profile, you can request a CA certificate from the trusted CA. Next, you must generate a public/private key pair. When the key pair is available, you can generate a local certificate either online or manually.

Tasks to manage digital certificates are:

  1. Requesting a CA Digital Certificate for AS and MultiServices PICs installed on M Series and T Series Routers
  2. Generating a Public/Private Key Pair
  3. Generating and Enrolling a Local Digital Certificate

Requesting a CA Digital Certificate for AS and MultiServices PICs installed on M Series and T Series Routers

For J Series Services Routers and AS and MultiServices PICs installed on M Series and T Series routers, issue the following command to obtain a digital certificate from a CA. Specify a configured ca-profile-name to request a CA certificate from the trusted CA.

user@host>request security pki ca-certificate enroll ca-profile ca-profile-name

For information about how to configure a CA profile, see Configuring the Certificate Authority Properties.

In this example, the certificate is enrolled online and installed into the router automatically.

user@host> request security pki ca-certificate enroll ca-profile entrust
Received following certificates:
Certificate: C=us, O=juniper
 Fingerprint:00:8e:6f:58:dd:68:bf:25:0a:e3:f9:17:70:d6:61:f3:53:a7:79:10
Certificate: C=us, O=juniper, CN=First Officer
 Fingerprint:bc:78:87:9b:a7:91:13:20:71:db:ac:b5:56:71:42:ad:1a:b6:46:17
Certificate: C=us, O=juniper, CN=First Officer
 Fingerprint:46:71:15:34:f0:a6:41:76:65:81:33:4f:68:47:c4:df:78:b8:e3:3f
Do you want to load the above CA certificate ? [yes,no] (no) yes

Note: If you obtain the CA certificate directly from the CA (for example, as an e-mail attachment or Web site download), you can install it with the request security pki ca-certificate load command. For more information, see the JUNOS System Basics and Services Command Reference.

Generating a Public/Private Key Pair

After obtaining a certificate for an AS PIC or MultiServices PIC, you must generate a public-private key before you can generate a local certificate. The public key is included in the local digital certificate and the private key is used to decrypt data received from peers. To generate a public-private key pair, issue the request security pki generate-key-pair certificate-id certificate-id-name command.

The following example shows how to generate a public-private key for an AS PIC or MultiServices PIC:

user@host>request security pki generate-key-pair certificate-id local-entrust2Generated key pair local-entrust2, key size 1024 bits

Generating and Enrolling a Local Digital Certificate

You can generate and enroll local digital certificates either online or manually. To generate and enroll a local certificate online by using the Simple Certificate Enrollment Protocol (SCEP) for an AS PIC or MultiServices PIC, issue the request security pki local-certificate enroll command. To generate a local certificate request manually in the PKCS-10 format, issue the request security pki generate-certificate-request command.

If you create the local certificate request manually, you must also load the certificate manually. To manually install a certificate in your router, issue the request security pki local-certificate load command.

The following example shows how to generate a local certificate request manually and send it to the CA for processing:

user@host> request security pki generate-certificate-request certificate-id local-entrust2 domain-name router2.juniper.net filename entrust-req2 subject cn=router2.juniper.net
Generated certificate request
-----BEGIN CERTIFICATE REQUEST-----
MIIBoTCCAQoCAQAwGjEYMBYGA1UEAxMPdHAxLmp1bmlwZXIubmV0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiUFklQws1Ud+AqN5DDxRs2kVyKEhh9qoVFnz+
Hz4c9vsy3B8ElwTJlkmIt2cB3yifB6zePd+6WYpf57Crwre7YqPkiXM31F6z3YjX
H+1BPNbCxNWYvyrnSyVYDbFj8o0Xyqog8ACDfVL2JBWrPNBYy7imq/K9soDBbAs6
5hZqqwIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjAOBgNVHQ8BAf8EBAMCB4AwJAYD
VR0RAQH/BBowGIIWdHAxLmVuZ2xhYi5qdW5pcGVyLm5ldDANBgkqhkiG9w0BAQQF
AAOBgQBc2rq1v5SOQXH7LCb/FdqAL8ZM6GoaN5d6cGwq4bB6a7UQFgtoH406gQ3G
3iH0Zfz4xMIBpJYuGd1dkqgvcDoH3AgTsLkfn7Wi3x5H2qeQVs9bvL4P5nvEZLND
EIMUHwteolZCiZ70fO9Fer9cXWHSQs1UtXtgPqQJy2xIeImLgw==
-----END CERTIFICATE REQUEST-----
Fingerprint:
0d:90:b8:d2:56:74:fc:84:59:62:b9:78:71:9c:e4:9c:54:ba:16:97 (sha1)
1b:08:d4:f7:90:f1:c4:39:08:c9:de:76:00:86:62:b8 (md5)

The trusted CA digitally signs the local certificate and returns it to you. Copy the certificate file into the router and load the certificate:

user@host> request security pki local-certificate load filename /tmp/router2-cert certificate-id local-entrust2Local certificate local-entrust2 loaded successfully

Note: The name of the file sent to you by the CA might not match the name of the certificate identifier. However, the certificate-id name must always match the name of the key pair you generated for the router.

After the local and CA certificates have been loaded, you can reference them in your IPsec configuration. Using default values in the AS and MultiServices PICs, you do not need to configure an IPsec proposal or an IPsec policy. However, you must configure an IKE proposal that specifies the use of digital certificates, reference the IKE proposal and locate the certificate in an IKE policy, and apply the CA profile to the service set.

Configuring the Auto-Reenrollment Properties for Automatic Renewal of the Router Certificate from the CA

Use the auto-re-enrollment statement to configure automatic reenrollment of a specified existing router certificate before its existing expiration date. This function automatically reenrolls the router certificate. The reenrollment process requests the certificate authority (CA) to issue a new router certificate with a new expiration date. The date of auto-reenrollment is determined by the following parameters:

  • re-enroll-trigger-time—The percentage of the difference between the router certificate start date/time (when the certificate was generated) and the validity period; used to specify how long auto-reenrollment should be initiated before expiration.
  • validity-period—The number of days after issuance when the router certificate will expire, as set when a certificate is generated.

Note: By default, this feature is not enabled unless configured explicitly. This means that a certificate that does not have auto-reenrollment configured will expire on its normal expiration date.

The ca-profile statement specifies which CA will be contacted to reenroll the expiring certificate. This is the CA that issued the original router certificate.

The challenge-password statement provides the issuing CA with the router certificate’s password, as set by the administrator and normally obtained from the SCEP enrollment Web page of the CA. The password is 16 characters in length.

Optionally, the router certificate key pair can be regenerated by using the re-generate-keypair statement.

To configure the auto-re-enrollment statement and its properties, include the following statements at the [edit security pki] hierarchy level:

[edit security pki]auto-re-enrollment {certificate-id {ca-profile ca-profile-name;challenge-password password;re-enroll-trigger-time percentage;re-generate-keypair;validity-period days;}}

percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent.

days is the number of days for the validity period. The range can be from 1 through 4095.

Tasks to configure automatic reenrollment of certificates are:

  1. Specify the Certificate ID
  2. Specify the CA Profile
  3. Specify the Challenge Password
  4. Specify the Reenroll Trigger Time
  5. Specify the Regenerate Key Pair
  6. Specify the Validity Period

Specify the Certificate ID

Use the certificate-id statement to specify the name of the router certificate to configure for auto-reenrollment. To specify the certificate ID, include the statement at the [edit security pki auto-re-enrollment] hierarchy level:

[edit security pki auto-re-enrollment]certificate-id certificate-name;

Specify the CA Profile

Use the ca-profile statement to specify the name of the CA profile from the router certificate previously specified by certificate ID. To specify the CA profile, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]ca-profile ca-profile-name;

Note: The referenced ca-profile must have an enrollment URL configured at the [edit security pki ca-profile ca-profile-name enrollment url] hierarchy level.

Specify the Challenge Password

The challenge password is used by the CA specified by the PKI certificate ID for reenrollment and revocation. To specify the challenge password, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]challenge-password password;

Specify the Reenroll Trigger Time

Use the re-enroll-trigger-time statement to set the percentage of the validity period before expiration at which reenrollment occurs. To specify the reenroll trigger time, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]re-enroll-trigger-time percentage;

percentage is the percentage for the reenroll trigger time. The range can be from 1 through 99 percent.

Specify the Regenerate Key Pair

When a regenerate key pair is configured, a new key pair is generated during reenrollment. On successful reenrollment, a new key pair and new certificate replace the old certificate and key pair. To generate a new key pair, include the following statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]re-generate-keypair;

Specify the Validity Period

The validity-period statement specifies the router certificate validity period, in number of days, that the specified router certificate remains valid. To specify the validity period, include the statement at the [edit security pki auto-re-enrollment certificate-id certificate-name] hierarchy level:

[edit security pki auto-re-enrollment certificate-id certificate-name]validity-period days;

days is the number of days for the validity period. The range can be from 1 through 4095.


Published: 2010-04-26

[an error occurred while processing this directive]