Digital Certificates
A digital certificate is an electronic means for verifying your identity through a trusted third party, known as a certificate authority (CA). Alternatively, you can use a self-signed certificate to attest to your identity.
Manual certificate processing includes generation of a PKCS10 request, submission to the CA, retrieval of the signed certificate, and manually loading the certificate into the Juniper Networks device. Based on your deployment environment, you can use either SCEP or CMPv2 for online certificate enrollment.
To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:
Obtain a CA certificate from which you intend to obtain a local certificate, and then load the CA certificate onto the device. The CA certificate can contain a CRL to identify invalid certificates.
Obtain a local certificate from the CA whose CA certificate you have previously loaded, and then load the local certificate in the device. The local certificate establishes the identity of the Juniper Networks device with each tunnel connection.
Manually Generating Digital Certificates: Configuration Overview
To obtain digital certificates manually:
Generate a key pair on the device. See Self-Signed Digital Certificates.
Create a CA profile or profiles containing information specific to a CA. See Example: Configuring a CA Profile.
Generate the CSR for the local certificate and send it to the CA server. See Example: Manually Generating a CSR for the Local Certificate and Sending It to the CA Server.
Load the certificate onto the device. See Example: Loading CA and Local Certificates Manually.
Configure automatic reenrollment. See Example: Using SCEP to Automatically Renew a Local Certificate.
If necessary, load the certificate's CRL on the device. See Example: Manually Loading a CRL onto the Device.
If necessary, configure the CA profile with CRL locations. See Example: Configuring a Certificate Authority Profile with CRL Locations