- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Requesting a CA Digital Certificate
Requesting a CA Digital Certificate
You can request a CA digital certificate either
online or manually. To request a digital certificate from a CA or
RA online by using SCEP, issue the request security pki ca-certificate
enroll ca-profile ca-profile-name command.
If you obtained the CA digital certificate manually
through e-mail or other out-of-band mechanism, you must load it manually.
To manually install a certificate in your router, issue the request
security pki ca-certificate load ca-profile profile_name filename /path/filename.cert command.
Generating a Private/Public Key Pair
A key pair is a critical element of a digital certificate
implementation. The public key is included in the local digital certificate
and the private key is used to decrypt data received from peers. To
generate a private/public key pair, issue the request security
pki generate-key-pair certificate-id certificate-id-name command.
Generating and Enrolling a Local Digital Certificate
You can generate and enroll a local digital certificate
either online or manually. To generate and enroll a local certificate
online by using SCEP, issue the request security pki local-certificate
enroll command. To generate a local certificate request manually
in the PKCS-10 format, issue the request security pki generate-certificate-request command.
If you create the local certificate request manually,
you must also load the certificate manually. To manually install a
certificate in your router, issue the request security pki local-certificate
load command.
Applying the Local Digital Certificate to an IPsec Configuration
To activate a local digital certificate, you configure
the IKE proposal to use digital certificates instead of preshared
keys, reference the local certificate in the IKE policy, and identify
the CA or RA in the service set. To enable the IKE proposal for digital
certificates, include the rsa-signatures statement at the [edit services ipsec-vpn ike proposal proposal-name authentication-method] hierarchy level. To reference the local
certificate in the IKE policy, include the local-certificate statement at the [edit services ipsec-vpn ike policy policy-name] hierarchy level. To identify the CA
or RA in the service set, include the trusted-ca statement
at the [edit services service-set service-set-name ipsec-vpn-options] hierarchy level.
[edit services] service-set service-set-name { ..... ipsec-vpn-options { trusted-ca ca-profile-name; } } ipsec-vpn { ike { proposal proposal-name { ..... authentication-method [pre-shared-keys | rsa-signatures]; } policy policy-name { .... local-certificate certificate-id-name; } } }
Configuring Automatic Reenrollment of Digital Certificates
You can configure automatic reenrollment for digital certificates.
This feature is by default not enabled. To configure automatic reenrollment
for digital certificates, include the auto-re-enrollment statement at the [edit security pki] hierarchy level:
[edit]
security {
pki {
auto-re-enrollment {
certificate-id certificate-name {
ca-profile ca-profile-name;
challenge-password password;
re-enroll-trigger-time-percentage percentage; # Percentage of validity-period
# (specified in certificate) when automatic
# reenrollment should be initiated.
re-generate-keypair;
validity-period number-of-days;
}
}
}
}
