Configuring Digital Certificates for an ES PIC
Digital certificates provide a way of authenticating users through a trusted third party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered.
To define the digital certificate configuration for an encryption service
interface, include the following statements at the [edit security certificates] and [edit security ike] hierarchy levels:
[edit security] certificates { cache-size bytes; cache-timeout-negative seconds; certification-authority ca-profile-name { ca-name ca-identity; crl filename; encoding (binary | pem); enrollment-url url-name; file certificate-filename; ldap-url url-name; } enrollment-retry attempts; local certificate-filename { certificate-key-string; load-key-file URL key-file-name; } maximum-certificates number; path-length certificate-path-length; } ike { policy ike-peer-address { description policy; encoding (binary | pem); identity identity-name; local-certificate certificate-filename; local-key-pair private-public-key-file; mode (aggressive | main); pre-shared-key (ascii-text key | hexadecimal key); proposals [ proposal-names ]; } }
Tasks to configure digital certificates for ES PICs are:
Configuring the Certificate Authority Properties for an ES PIC
A CA is a trusted third-party organization that creates, enrolls, validates, and revokes digital certificates.
To configure a certificate authority and its properties for an ES PIC,
include the following statements at the [edit security certificates] hierarchy
level:
[edit security certificates] certification-authority ca-profile-name { ca-name ca-identity; crl filename; encoding (binary | pem); enrollment-url url-name; file certificate-filename; ldap-url url-name; }
ca-profile-name is the CA profile name.
Tasks for configuring the CA properties are:
- Specifying the Certificate Authority Name
- Configuring the Certificate Revocation List
- Configuring the Type of Encoding Your CA Supports
- Specifying an Enrollment URL
- Specifying a File to Read the Digital Certificate
- Specifying an LDAP URL
Specifying the Certificate Authority Name
If you are enrolling with a CA using simple certificate enrollment protocols (SCEP), you need to specify the CA name (CA identity) that is used in the certificate request, in addition to the URL for the SCEP server.
To specify the name of the CA identity, include the ca-name statement
at the [edit security certificates certification-authority ca-profile-name] hierarchy level:
[edit security certificates certification-authority ca-profile-name] ca-name ca-identity;
ca-identity specifies the CA identity to
use in the certificate request. It is typically the CA domain name.
Configuring the Certificate Revocation List
A certificate revocation list (CRL) contains a list of digital certificates that have been canceled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL.
To configure the CA certificate revocation list, include the crl statement and specify the file from which to read the CRL at the [edit security certificates
certification-authority ca-profile-name] hierarchy level:
[edit security certificates certification-authority ca-profile-name] crl filename;
Configuring the Type of Encoding Your CA Supports
By default, encoding is set to binary. Encoding specifies the file format
used for the local-certificate and local-key-pair statements. By default,
the binary (distinguished encoding rules) format is enabled. Privacy-enhanced mail (PEM) is an ASCII base 64 encoded format. Check with your CA to determine
which file formats it supports.
To configure the file format that your CA supports, include the encoding statement and specify a binary or PEM format at the [edit security certificates certification-authority ca-profile-name] hierarchy level:
[edit security certificates certification-authority ca-profile-name] encoding (binary | pem);
Specifying an Enrollment URL
You specify the CA location where your router or switch sends SCEP-based
certificate enrollment requests. To specify the CA location by naming the CA URL, include
the enrollment-url statement at the [edit security certificates certification-authority ca-profile-name] hierarchy level:
[edit security certificates certification-authority ca-profile-name] enrollment-url url-name;
url-name is the CA location. The format
is http://ca-name, where ca-name is the CA host DNS name or IP address.
Specifying a File to Read the Digital Certificate
To specify the file from which to read the digital certificate, include
the file statement and specify the certificate filename at the [edit security
certificates certification-authority ca-profile-name] hierarchy
level:
[edit security certificates certification-authority ca-profile-name] file certificate-filename;
Specifying an LDAP URL
If your CA stores its current CRL at its Lightweight Directory Access Protocol
(LDAP) server, you can optionally check your CA CRL list before
using a digital certificate. If the digital certificate appears on the CA CRL, your router
or switch cannot use it. To access your CA CRL, include the ldap-url statement
at the [edit security certificates certification-authority ca-profile-name] hierarchy level:
[edit security certificates certification-authority ca-profile-name] ldap-url url-name;
url-name is the certification authority
LDAP server name. The format is ldap://server-name, where server-name is the CA host DNS name or IP address.
Configuring the Cache Size
By default, the cache size is 2 megabytes (MB). To configure total cache
size for digital certificates, include the cache-size statement at the [edit
security certificates] hierarchy level:
[edit security certificates] cache-size bytes;
bytes is the cache size for digital certificates.
The range can be from 64 through 4,294,967,295 bytes.
We recommend that you limit your cache size to 4 MB.
Configuring the Negative Cache
Negative caching stores negative results and reduces the response time for negative answers. It also reduces the number of messages that are sent to the remote server. Maintaining a negative cache state allows the system to quickly return a failure condition when a lookup attempt is retried. Without a negative cache state, a retry would require waiting for the remote server to fail to respond, even though the system already “ knows” that remote server is not responding.
By default, the negative cache is 20 seconds. To configure the negative
cache, include the cache-timeout-negative statement at the [edit security
certificates] hierarchy level:
[edit security certificates] cache-timeout-negative seconds;
seconds is the amount of time for which
a failed CA or router certificate is present in the negative cache. While searching for certificates
with a matching CA identity (domain name for certificates or CA domain name and serial for
CRLs), the negative cache is searched first. If an entry is found in the negative cache, the
search fails immediately.
Configuring a large negative cache value can make you susceptible to a denial-of-service (DoS) attack.
Configuring the Number of Enrollment Retries
By default, the number of enrollment retries is set to 0, an infinite number
of retries. To specify how many times a router or switch will resend a certificate request,
include the enrollment-retry statement at the [edit security certificates] hierarchy level:
[edit security certificates] enrollment-retry attempts;
attempts is the number of enrollment retries
(0 through 100).
Configuring the Maximum Number of Peer Certificates
By default, the maximum number of peer certificates to be cached is 1024.
To configure the maximum number of peer certificates to be cached, include the maximum-certificates statement at the [edit security certificates] hierarchy statement level:
[edit security certificates] maximum-certificates number;
number is the maximum number of peer certificates
to be cached. The range is from 64 through 4,294,967,295 peer certificates.
Configuring the Path Length for the Certificate Hierarchy
Certification authorities can issue certificates to other CAs. This creates a tree-like certification hierarchy. The highest trusted CA in the hierarchy is called the trust anchor. Sometimes the trust anchor is the root CA, which is usually signed by itself. In the hierarchy, every certificate is signed by the CA immediately above it. An exception is the root CA certificate, which is usually signed by the root CA itself. In general, a chain of multiple certificates may be needed, comprising a certificate of the public key owner (the end entity) signed by one CA, and zero or more additional certificates of CAs signed by other CAs. Such chains, called certification paths, are required because a public key user is only initialized with a limited number of assured CA public keys.
Path length refers to a path of certificates from one certificate to another
certificate, based on the relationship of a CA and its “children.” When you configure
the path-length statement, you specify the maximum depth of the hierarchy to validate
a certificate from the trusted root CA certificate to the certificate in question. For more
information about the certificate hierarchy, see RFC 3280, Internet X.509 Public
Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
By default, the maximum certificate path length is set to 15. The root anchor is 1.
To configure path length, include the path-length statement
at the [edit security certificates] hierarchy level:
[edit security certificates] path-length certificate-path-length;
certificate-path-length is the maximum
number certificates for the certificate path length. The range is from 2 through 15 certificates.