Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring a Device for Peer Certificate Chain Validation

This example shows how to configure a device for certificate chains used to validate peer devices during IKE negotiation.

Requirements

Before you begin, obtain the address of the certificate authority (CA) and the information they require (such as the challenge password) when you submit requests for local certificates.

Overview

This example shows how to configure a local device for certificate chains, enroll CA and local certificates, check the validity of enrolled certificates, and check the revocation status of the peer device.

Topology

This example shows the configuration and operational commands on Host-A, as shown in Figure 1. A dynamic CA profile is automatically created on Host-A to allow Host-A to download the CRL from Sales-CA and check the revocation status of Host-B’s certificate.

Figure 1: Certificate Chain ExampleCertificate Chain Example
Note:

The IPsec VPN configuration for Phase 1 and Phase 2 negotiation is shown for Host-A in this example. The peer device (Host-B) must be properly configured so that Phase 1 and Phase 2 options are successfully negotiated and security associations (SAs) are established.

Configuration

To configure a device for certificate chains:

Configure CA Profiles

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure CA profiles:

  1. Create the CA profile for Root-CA.

  2. Create the CA profile for Eng-CA.

  3. Create the CA profile for Dev-CA.

Results

From configuration mode, confirm your configuration by entering the show security pki command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enroll Certificates

Step-by-Step Procedure

To enroll certificates:

  1. Enroll the CA certificates.

    Type yes at the prompts to load the CA certificate.

  2. Verify that the CA certificates are enrolled in the device.

  3. Verify the validity of the enrolled CA certificates.

  4. Enroll the local certificate.

  5. Verify that the local certificate is enrolled in the device.

  6. Verify the validity of the enrolled local certificate.

  7. Check the CRL download for configured CA profiles.

Configure IPsec VPN Options

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure IPsec VPN options:

  1. Configure Phase 1 options.

  2. Configure Phase 2 options.

Results

From configuration mode, confirm your configuration by entering the show security ike and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

If certificate validation is successful during IKE negotiation between peer devices, both IKE and IPsec security associations (SAs) are established.

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status.

Action

Enter the show services ipsec-vpn ike security-associations command from operational mode.

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status.

Action

Enter the show services ipsec-vpn ipsec security-associations command from operational mode.

IKE and IPsec SA Failure for a Revoked Certificate

Checking for Revoked Certificates

Problem

If certificate validation fails during IKE negotiation between peer devices, check to make sure that the peer’s certificate has not been revoked. A dynamic CA profile allows the local device to download the CRL from the peer’s CA and check the revocation status of the peer’s certificate. To enable dynamic CA profiles, the revocation-check crl option must be configured on a parent CA profile.

Solution

To check the revocation status of a peer’s certificate:

  1. Identify the dynamic CA profile that will show the CRL for the peer device by entering the show security pki crl command from operational mode.

    The CA profile dynamic-001 is automatically created on Host-A so that Host-A can download the CRL from Host-B’s CA (Sales-CA) and check the revocation status of the peer’s certificate.

  2. Display CRL information for the dynamic CA profile by entering the show security pki crl ca-profile dynamic-001 detail command from operational mode.

    Enter

    Host-B’s certificate (serial number 10647084) has been revoked.