Managing public keys ············································································································································ 123

Overview ······································································································································································· 123

FIPS compliance ··························································································································································· 123

Creating a local key pair ············································································································································ 123

Configuration guidelines ···································································································································· 123

Configuration procedure ···································································································································· 124

Distributing a local host public key ···························································································································· 125

Exporting a host public key in a specific format to a file ················································································ 125

Displaying a host public key in a specific format and saving it to a file ······················································ 125

Displaying a host public key ······························································································································ 126

Destroying a local key pair ········································································································································· 126

Configuring a peer public key ···································································································································· 126

Importing a peer host public key from a public key file ·················································································· 127

Entering a peer public key ································································································································· 127

Displaying and maintaining public keys ··················································································································· 127

Examples of public key management ························································································································ 128

Example for entering a peer public key ············································································································ 128

Example for importing a public key from a public key file ············································································· 130

Configuring PKI ······················································································································································· 133

PKI terminology ···················································································································································· 133

PKI architecture ···················································································································································· 134

PKI operation ······················································································································································· 134

PKI applications ··················································································································································· 135

Support for MPLS L3VPN ···································································································································· 135

PKI configuration task list ············································································································································ 136

Configuring a PKI entity ·············································································································································· 136

Configuring a PKI domain ··········································································································································· 137

Requesting a certificate ··············································································································································· 139

Configuring automatic certificate request ········································································································· 139

Manually requesting a certificate ······················································································································ 140

Aborting a certificate request ····································································································································· 141

Obtaining certificates ·················································································································································· 142

Configuration prerequisites ································································································································ 142

Verifying PKI certificates ·············································································································································· 143

Verifying certificates with CRL checking ··········································································································· 143

Verifying certificates without CRL checking ······································································································ 144

Specifying the storage path for the certificates and CRLs ······················································································· 144

Exporting certificates ··················································································································································· 145

Removing a certificate ················································································································································· 145

Configuring a certificate access control policy ········································································································· 146

Displaying and maintaining PKI ································································································································· 147

PKI configuration examples ········································································································································· 147

Certificate request from an RSA Keon CA server ···························································································· 148

Certificate request from a Windows 2003 CA server ···················································································· 150

Certificate request from an OpenCA server ····································································································· 153

IKE negotiation with RSA digital signature from a Windows 2003 CA server ············································ 157

Certificate import and export configuration example ····················································································· 159

Troubleshooting PKI configuration ······························································································································ 164

Failed to obtain the CA certificate ····················································································································· 165

Failed to obtain local certificates ······················································································································· 165

iii