certificate
Syntax
certificate {
local-certificate certificate-id;
peer-certificate-type (pkcs7 | x509-signature);
policy-oids oid;
trusted-ca {
ca-profile ca-profile-name;
trusted-ca-group trusted-ca-group-name;
}
}Hierarchy Level
[edit security ike policy policy-name]
Description
Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient.
Options
local-certificate certificate-id—Specifies one
local certificate or a list of multiple local certificates (up to 20) to be used for
IKE authentication when multiple certificates are installed on the device. You can
use multiple local certificates only with iked process. If the device supports only
a single certificate, running the command again
overwrites
the existing local certificate. If the device supports multiple local certificates,
running the command again adds the certificate to the list. Deleting a certificate
from the list terminates any existing IKE
connection that uses that certificate. The device then establishes new security
associations (SAs) using the updated list. The certificate identifier must not
include any of the following characters:
-
period (
.) -
forward slash (
/) -
percent sign (
%) -
space ( )
peer-certificate-type—Specifies a preferred type of certificate
(Public Key Cryptography Standard #7 or X509).
-
pkcs7—PKCS7. -
x509-signature—X509 is an ITU-T standard for public key infrastructure (PKI). This is the default value.
policy-oids oid—Configures policy object
identifiers (OIDs). This configuration is optional. Policy OIDs are values included
in a peer’s certificate or certificate chain.
You
can configure up to five policy OIDs, and each OID can be up to 63 bytes in length.
You must ensure that at least one of the configured policy OIDs is included in a
peer’s certificate or certificate chain. Note that the
policy-oids field in a peer’s certificate is optional. If
you configure policy OIDs in an IKE policy and the peer’s certificate chain does not
contain any policy OIDs, certificate validation for the peer fails.
trusted-ca—Specifies a name for the trusted CA group.
At
least one CA profile is required to create a trusted CA group. A trusted CA group
can contain a maximum of 20 CA profiles. Any CA from a particular group can validate
the certificate for a given entity.
When
requesting a certificate from a peer, specify the preferred CA.
You can associate an IKE policy to a single trusted CA profile or a trusted CA
group. During certificate validation, the IKE policy will limit itself to the
configured group of CAs when establishing a secure connection. Any certificate
issued other than the single trusted CA or the trusted CA group is not
validated.
-
ca-profile ca-profile-name—Specifies a name for the CA profiles. A CA is an entity that issues digital certificates, which help establish secure connection between peers through certificate validation. -
trusted-ca-group trusted-ca-group-name—Specifies a name for the trusted CA group. At least one CA profile is required to create a trusted CA group. A trusted CA group can contain a maximum of 20 CA profiles. Any CA from a particular group can validate the certificate for a given topology.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 8.5. policy-oids option
added in Junos OS Release 12.3X48-D10.
Support for trusted-ca option added in Junos OS Release 18.1R1.
Commit check added to prevent specified characters at local-certificate
certificate-id in Junos OS Release 19.1R1.
Support for certificate validation using trusted-ca-group in the
iked process added in Junos OS Release 26.2R1.
Support for list of multiple local-certificate added in Junos OS
Release 26.2R1.