digital-signature-scheme
Syntax
digital-signature-scheme (rsassa-pkcs1-v1-5 | rsassa-pss);
Hierarchy Level
[edit logical-systems name security ike proposal], [edit logical-systems name tenants name security ike proposal], [edit security ike proposal], [edit tenants name security ike proposal]
Description
Specifies the digital-signature-scheme for Internet Key Exchange Version 2 (IKEv2) authentication when the local certificate is RSA, to align with RFC 7427, Signature Authentication in the IKEv2. The following points describe configuration requirements for the signature scheme.
-
You can configure
digital-signature-schemeonly when theauthentication-methodin the IKE proposal is set todigital-signatureand thelocal-certificateconfigured in the IKE policy is an RSA certificate. -
If the authentication method is not
digital-signature, the commit fails. -
If the IKE policy uses a non-RSA local certificate, the configuration commits successfully; however the
digital-signature-schemesetting has no effect because IKE cannot apply RSA-specific signature schemes to non-RSA certificates. Ensure that the authentication method in the proposal and the certificate type in the policy match your intended RSA signature scheme—RSA-PSS or RSA-PKCS1 v1.5. Otherwise, the configured scheme either fails validation or remains unused. -
To view RSA signature scheme used in IKEv2 handshake, use the command
show security ike sa detail. -
Before the introduction of
digital-signature-scheme, RSA authentication always used PKCS1 v1.5 signature by default.
Options
| rsassa-pkcs1-v1-5 |
RSA signature with PKCS1 v1.5 encoding, used only when local certificate is of type RSA. |
| rsassa-pss |
(Default) RSA signature with PSS encoding, used only when local certificate is of type RSA. RSA-PSS supports the SHA-256, SHA-384, and SHA-512 signature hash algorithms in IKE proposal. The scheme doesn't support MD5, SHA1, and SHA-224. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 26.2R1.