Configuring Digital Certificates
Digital Certificates Overview
A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered.
A certificate includes the following information:
The distinguished name (DN) of the owner. A DN is a unique identifier and consists of a fully qualified name including the common name (CN) of the owner, the owner’s organization, and other distinguishing information.
The public key of the owner.
The date on which the certificate was issued.
The date on which the certificate expires.
The distinguished name of the issuing CA.
The digital signature of the issuing CA.
The additional information in a certificate allows recipients to decide whether to accept the certificate. The recipient can determine if the certificate is still valid based on the expiration date. The recipient can check whether the CA is trusted by the site based on the issuing CA.
With a certificate, a CA takes the owner’s public key, signs that public key with its own private key, and returns this to the owner as a certificate. The recipient can extract the certificate (containing the CA’s signature) with the owner’s public key. By using the CA’s public key and the CA’s signature on the extracted certificate, the recipient can validate the CA’s signature and owner of the certificate.
When you use digital certificates, your first send in a request to obtain a certificate from your CA. You then configure digital certificates and a digital certificate IKE policy. Finally, you obtain a digitally signed certificate from a CA.
Certificates without an alternate subject name are not appropriate for IPsec services.
Obtaining a Certificate from a Certificate Authority for an ES PIC
Certificate authorities (CAs) manage certificate requests and issue certificates to participating IPsec network devices. When you create a certificate request, you need to provide the information about the owner of the certificate. The required information and its format vary across certificate authorities.
Certificates use names in the X.500 format, a directory access protocol that provides both read and update access. The entire name is called a DN (distinguished name). It consists of a set of components, which often includes a CN (common name), an organization (O), an organization unit (OU), a country (C), a locality (L), and so on.
For the dynamic registration of digital certificates, the Junos OS supports only the Simple Certificate Enrollment Protocol (SCEP).
See Also
Requesting a CA Digital Certificate for an ES PIC on an M Series or T Series Router
For an encryption interface on an M Series or T Series router, issue the following command to obtain a public key certificate from a CA. The results are saved in the specified file in the /var/etc/ikecert directory. The CA public key verifies certificates from remote peers.
user@host> request security certificate enroll filename filename ca-name ca-name parameters parameters
See Also
Example: Requesting a CA Digital Certificate
Specify a URL to the SCEP server and the name of the certification authority whose certificate you want: mycompany.com. filename 1 is name of the file that stores the result. The output, "Received CA certificate:" provides the signature for the certificate, which allows you to verify (offline) that the certificate is genuine.
user@host> request security certificate enroll filename ca_verisign ca-file verisign ca-name xyzcompany url http://hostname/path/filename URL: http://hostname/path/filename name: example.com CA file: verisign Encoding: binary Certificate enrollment has started. To see the certificate enrollment status, check the key management process (kmd) log file at /var/log/kmd. <--------------
Each router is initially manually enrolled with a certificate authority.
See Also
Generating a Private and Public Key Pair for Digital Certificates for an ES PIC
To generate a private and public key, issue the following command:
user@host> request security key-pair name size key-size type ( rsa | dsa )
name
specifies the filename in which to
store the public and private keys.
key-size
can be 512, 1024, 1596, or 2048
bytes. The default key size is 1024 bytes.
type
can be rsa
or dsa
. The default is
RSA.
When you use SCEP, the Junos OS only supports RSA.
The following example shows how to generate a private and public key pair:
user@host> request security key-pair batt Generated key pair, key size 1024, file batt Algorithm RSA