Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Using Digital Certificates for IPsec

Using Digital Certificates for IPsec

A popular way for network administrators to scale an IPsec network is to use digital certificates instead of preshared keys. To enable digital certificates in your network, you need to use a combination of operational mode commands and configuration statements. The following tasks enable you to implement digital certificates on AS and MultiServices PICs installed in M Series and T Series routers:

See Also

Configuring a CA Profile

The CA profile contains the name and URL of the CA or RA, as well as some retry timer settings. CA certificates issued by Entrust, VeriSign, and Microsoft are all compatible with M Series, and T Series routers. To configure the domain name of the CA or RA, include the ca-identity statement at the [edit security pki ca-profile ca-profile-name] hierarchy level. To configure the URL of the CA, include the url statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level. To configure the number of enrollment attempts the router should perform, include the retry statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level. To configure the amount of time the router should wait between enrollment attempts, include the retry-interval statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level.

Note:

When you delete the entire public key infrastructure (PKI) configuration, all the CA certificates in the device are not deleted as expected. These CA certificates are accessible after you create the CA profiles again.

Configuring a Certificate Revocation List

A certificate revocation list (CRL) contains a list of digital certificates that have been canceled before their expiration date. When a participating peer uses a digital certificate, it checks the certificate signature and validity. It also acquires the most recently issued CRL and checks that the certificate serial number is not on that CRL. By default, CRL verification is enabled on any CA profile running on Junos OS Release 8.1 or later. To disable CRL verification, include the disable statement at the [edit security pki ca-profile ca-profile-name revocation-check] hierarchy level.

To specify the URL for the Lightweight Directory Access Protocol (LDAP) server where your CA stores its current CRL, include the url statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level. If the LDAP server requires a password to access the CRL, include the password statement at the [edit security pki ca-profile ca-profile-name revocation-check crl url] hierarchy level.

Note:

You do not need to specify a URL for the LDAP server if the certificate includes a certificate distribution point (CDP). The CDP is a field within the certificate that contains information about how to retrieve the CRL for the certificate. The router uses this information to download the CRL automatically. Any LDAP URL you configure takes precedence over the CDP included in the certificate.

If you manually downloaded the CRL, you must manually install it on the router. To manually install the CRL, issue the request security pki crl load ca-profile ca-profile-name filename path/filename command.

To configure the time interval between CRL updates, include the refresh-interval statement at the [edit security ca-profile ca-profile-name revocation-check crl] hierarchy level.

To override the default behavior and permit IPsec peer authentication to continue when the CRL fails to download, include the disable on-download-failure statement at the [edit security ca-profile ca-profile-name revocation-check crl] hierarchy level.