Example: Configuring a Certificate Authority Profile (CLI)

To configure a CA profile:

  1. Create a CA profile. For example, the following command creates a CA profile called ca-profile-ipsec with CA identity microsoft-2008, specifies that the CRL be refreshed every 48 hours, and indicates the location to retrieve the CRL from is http://www.my-ca.com:
    user@host# set security pki ca-profile ca-profile-ipsec ca-identity microsoft-2008 revocation-check crl refresh-interval 48 url http://www.my-ca.com
  2. Specify the number of times a device resends a certificate request for online enrollment when attempts to enroll in Step 1 fail. For example, the following command sets the enrollment retry to 20 times:
    user@host# set security pki ca-profile ca-profile-ipsec enrollment retry 20

    The default value for retry is 10.

  3. Specify the time interval in seconds between attempts to automatically enroll the CA certificate online. For example, the following command specifies automatic certificate polling every 30 minutes:
    user@host# set security pki ca-profile ca-profile-ipsec enrollment retry-interval 1800

    If you configure retry only without configuring a retry interval, then the default retry interval is 900 seconds (15 minutes). If you do not configure retry or a retry interval, then there is no polling.

Related Topics