Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

digital-signature-scheme

Syntax

Hierarchy Level

Description

Specifies the digital-signature-scheme for Internet Key Exchange Version 2 (IKEv2) authentication when the local certificate is RSA, to align with RFC 7427, Signature Authentication in the IKEv2. The following points describe configuration requirements for the signature scheme.

  • You can configure digital-signature-scheme only when the authentication-method in the IKE proposal is set to digital-signature and the local-certificate configured in the IKE policy is an RSA certificate.

  • If the authentication method is not digital-signature, the commit fails.

  • If the IKE policy uses a non-RSA local certificate, the configuration commits successfully; however the digital-signature-scheme setting has no effect because IKE cannot apply RSA-specific signature schemes to non-RSA certificates. Ensure that the authentication method in the proposal and the certificate type in the policy match your intended RSA signature scheme—RSA-PSS or RSA-PKCS1 v1.5. Otherwise, the configured scheme either fails validation or remains unused.

  • To view RSA signature scheme used in IKEv2 handshake, use the command show security ike sa detail.

  • Before the introduction of digital-signature-scheme, RSA authentication always used PKCS1 v1.5 signature by default.

Options

rsassa-pkcs1-v1-5

RSA signature with PKCS1 v1.5 encoding, used only when local certificate is of type RSA.

rsassa-pss

(Default) RSA signature with PSS encoding, used only when local certificate is of type RSA. RSA-PSS supports the SHA-256, SHA-384, and SHA-512 signature hash algorithms in IKE proposal. The scheme doesn't support MD5, SHA1, and SHA-224.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 26.2R1.