certificate
Syntax
certificate { local-certificate certificate-id; peer-certificate-type (pkcs7 | x509-signature); policy-oids oid; trusted-ca { ca-profile ca-profile-name; trusted-ca-group trusted-ca-group-name; } }
Hierarchy Level
[edit security ike policy policy-name]
Description
Specify usage of a digital certificate to authenticate the virtual private network (VPN) initiator and recipient.
Options
local-certificate certificate-id
—Specify a particular
certificate when the local device has multiple loaded certificates.
The device deletes existing IKE and IPsec SAs when you update the local-certificate
configuration in the IKE policy. Starting
in Junos OS Release 19.1R1, a commit check is added to prevent user
from adding .
, /
, %
, and space in
a certificate identifier while generating a local or remote certificates
or a key pair.
peer-certificate-type
—Specify a preferred type
of certificate (PKCS7 or X509).
pkcs7
—Public-Key Cryptography Standard #7.x509-signature
—X509 is an ITU-T standard for public key infrastructure. This is the default value.
policy-oids oid
—Configure
policy object identifiers (OIDs). This configuration is optional.
Policy OID contained in a peer’s certificate or certificate
chain. Up to five policy OIDs can be configured. Each OID can be up
to 63 bytes long. You must ensure that at least one of the configured
policy OIDs is included in a peer’s certificate or certificate
chain. Note that the policy-oids field
in a peer’s certificate is optional. If you configure policy
OIDs in an IKE policy and the peer’s certificate chain does
not contain any policy OIDs, certificate validation for the peer fails.
trusted-ca
—Specify a name for the trusted CA
group. A minimum of one CA profile is mandatory to create a trusted
CA group and a maximum of 20 CAs are allowed in one trusted CA group.
Any CA from a particular group can validate the certificate for that
particular entity. Specify the preferred certificate authority (CA)
to use when requesting a certificate from the peer.
You can associate an IKE policy to a single trusted CA profile or
a trusted CA group. During certificate validation the IKE policy will
limit itself to the configured group of CAs while establishing a secure
connection. Any certificate issued other than the single trusted CA
or the trusted CA group are not validated.
ca-profile ca-profile-name
—Specify a name for the CA profiles. A Certificate Authority (CA) is an entity that issues digital certificates which helps to establish secure connection between peers through certificate validation.trusted-ca-group trusted-ca-group-name
—Specify a name for the trusted CA group. A minimum of one CA profile is mandatory to create a trusted CA group and a maximum of 20 CAs are allowed in one trusted CA group. Any CA from a particular group can validate the certificate for that particular topology.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release
8.5. policy-oids
option added in Junos OS Release 12.3X48-D10.
Support for trusted-ca
option added in Junos OS Release
18.1R1.