Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Glossary of PKI Related Terms

About

This topic defines a few important terms related to PKI usage in IKE for Junos OS that are frequently used in this document. For complete Juniper Networks Glossary, see Juniper Networks Glossary.

CA

certificate authority. In general, a CA is a trusted third-party organization that creates, enrolls, validates, and revokes digital certificates. The CA guarantees a user’s identity and issues public and private keys for message encryption and decryption (coding and decoding).

In this example, CA is the server (or set of servers) that signs certificates for virtual private network (VPN) gateways and user systems (for client remote access server (RAS) VPN). CA also generates certificate revocation lists (CRLs) which are lists of revoked certificates. A CA acts as the trusted third party between two VPN gateways that are authenticating each other, using certificates.

Certificates (certs)

A certificates is the combination of an entity identity and public key into one file. This file is digitally signed by a certificate authority (CA), and is validated by other servers that trust this CA. Certificates have a finite lifetime and are defined by a start time and an end time. The certificate becomes invalid when the life time expires. When the certificate expires, a certificate renewal or a new certificate request is required.

CRL

certificate revocation list. The certificate server (CA) periodically publishes the CRL which includes a list of certificates that are prematurely invalid. This list also includes reasons for revocation and the names of the entities that issued certificates. A CRL prevents use of digital certificates and signatures that are expired or invalid.

CDP

CRL Distribution Point (CRL-DP). A CDP is the place to retrieve the latest CA CRLs. This is usually a Lightweight Directory Access Protocol (LDAP) server or HTTP (web) server. The CDP is normally expressed as an ldap://host/dir or http://host/path URL.

DN

distinguished name. A DN is the set of fields and values that uniquely define a certificate in a VPN gateway or remote access server (RAS) VPN client identity. The DN is also called the subject of the certificate. This DN identity can be used as the IKE ID.

The DN form includes the following fields:

  • CN — Username, server DNS name, or almost any uniquely identifying string

  • OU — Organizational unit (example: Sales)

  • O — Organization (example: Juniper Networks)

  • L — Locality (example: San Francisco)

  • S — State (example: CA)

  • C — Country (example: US)

DNS resolver

Domain Name System resolver. Domain Name Server setting that needs to be set on the Juniper Networks virtual private network (VPN) device to help resolve fully qualified domain name (FQDN) names into IP addresses. Many CAs and certificates use hostnames which need to be resolved into IP addresses.

FQDN

fully qualified domain name. The hostname and domain name for a specific system.

An FQDN is usually the name given to a device on the Internet, including the DNS-based zone that the device is in. Examples include www.juniper.net, ocsp.chemistry.nwu.edu, nsgw1.dklein.org, ftp1.whitehouse.gov, and ca2.nit.disa.mil.

IKE

Internet Key Exchange. In general, IKE is the is part of IPsec that provides ways to securely negotiate the shared private keys that the authentication header (AH) and Encapsulating Security Payload (ESP) portions of IPsec need to function properly. IKE employs Diffie-Hellman methods and is optional in IPsec (the shared keys can be entered manually at the endpoints).

In this example, it is an Internet Security Association and Key Management Protocol (ISAKMP)/Oakley-based process used by two VPN gateways to identify and authenticate each other. In addition, key generation for packet-level authentication (integrity) and encryption (privacy) is handled during IKE.

The IKE RFC defines the following two basic gateway authentication mechanisms:

  • Preshared key (like a password)

  • Digital certificates (certificates) based on RSA private/public key pairs

    Note:

    This document focuses on the digital certificates (certificates) based on RSA private/public key pairs.

IKE ID

IKE identity. The IKE ID defines how two VPN peers can identify each other.

The IKE ID can be one of the following:

  • IP address (example: 21.62.2.252)

  • fully qualified domain name (FQDN) (example: vpn1.juniper.net)

  • U-FQDN or e-mail address (example: johndoe@juniper.net)

  • distinguished name (DN) (example: CN=John Doe, OU=eng, O=Juniper, C=US).

IPsec

IP Security. In general, IPsec is a standard way to add security to Internet communications. The secure aspects of IPsec are usually implemented in three parts: the authentication header (AH), the Encapsulating Security Payload (ESP), and the Internet Key Exchange (IKE).

In this example, IPsec is the protocol used to authenticate, encrypt, and encapsulate IP packets between two VPN/IKE peers, thereby creating a tunnel.

NSR

NetScreen-Remote client is the software for Windows-based PCs or laptops, which allow clients to set up a personal VPN to a Junos OS or other IPsec gateway, opposed to a site-to-site VPN in which two VPN devices set up a VPN tunnel between two sites, containing many hosts.

OCSP

Online Certificate Status Protocol. The OCSP protocol is used by a VPN device to contact a VA (validation authority) to check on the validity of a certificate. This is a more scalable alternative to the use of certificate revocation lists (CRL), CRL Distribution Points (CDPs).

PKCS

Public-Key Cryptography Standards. PKCS are the series of standards established by RSA laboratories.

The PKCS are:

  • PKCS7—The Cryptographic Message Syntax Standard defines how messages are encoded and digitally signed. The PKCS7 includes a certificate itself and it is also referred to as a p7 file.

  • PKCS10—The Certificate Request Syntax Standard defines how a virtual private network (VPN) gateway can form a request for a certificate that can be sent to a certificate authority (CA). The request, also referred to as a p10 file, usually includes the VPN gateway identity and a public key. The CA digitally signs the request with its own private key and returns a p7 (certificate) file.

  • PKCS11—The Cryptographic Token Interface Standard defines how to store certificates and private keys on a token card. This is not relevant for the SRX Series and J Series devices but can be relevant to the NSR devices.

  • PKCS12—The Personal Information Exchange Syntax Standard defines how to bundle an entity certificate and public/private key pair into a password-protected file. The PKCS12, also referred as a p12 file, facilitates moving a user from one machine to another for client VPNs. This standard is more frequently used by NSR devices.

PKI

Public key infrastructure. In general, PKI is a hierarchy of trust that enables users of a public network to securely and privately exchange data through the use of public and private cryptographic key pairs that are obtained and shared with peers through a trusted authority.

In this example, PKI is the set of objects that allow the use of digital certificates between two entities (such as virtual private network (VPN) gateways). This includes a certificate authority (CA), registration authority (RA), certificates, certificate revocation lists (CRLs), CRL Distribution Points (CDPs), and Online Certificate Status Protocol (OCSP).

SCEP

Simple Certificate Enrollment Protocol. In general, SCEP is a protocol for digital certificates that supports certificate authority (CA) and registration authority (RA) public key distribution, certificate enrollment, certificate revocation, certificate queries, and certificate revocation list (CRL) queries.

In this example, SCEP is the protocol used to allow a device to generate a certificate request and automatically submit the request to a CA. You can use this protocol only if both the device and the CA support it. This protocol makes certificate enrollment and reenrollment easier than manually collecting a PKCS10 from the device and then submitting it to a CA.

Junos OS Release 9.0 and later supports SCEP. For more information on SCEP, see Appendix D: Simple Certificate Enrollment Protocol.

U-FQDN

User-fully qualified domain name. This is usually the e-mail address given to users on the Internet or host network. For example: johndoe@juniper.net, user1@org.corp.com, and john.smith@jscorp.com.