Table of Contents
Advertisement
JUNOSe 11.1.x IP Services Configuration Guide
supports CA hierarchies, which consist of a top-level root CA and one or more sub-CAs
(also called issuing CAs).
In a CA hierarchy, the router obtains its public key certificates and the CA certificate
from a sub-CA. The sub-CA's certificate is signed by the root CA.
This process creates a certificate chain of trust in which the E Series router must
verify all certificates in the chain until the router reaches a trusted CA, such as the
root CA. For example, if the router receives traffic from a peer with a certificate
signed by a sub-CA, the router first verifies the sub-CA's signature on the peer's
certificate, then verifies the sub-CA's certificate, which is signed by the trusted root
CA.
The ERX router supports CA hierarchies consisting of the root CA and one level of
sub-CAs. When using a CA hierarchy, the router authenticates and enrolls for its
public certificate with the sub-CA. When you use the show ipsec ike-certificates
command, the root CA and sub-CA certificates are listed as CA certificates, and the
router's public certificates are signed by the sub-CA.
IKE Authentication Using Public Keys Without Digital Certificates
During IKE negotiations, peers exchange public keys to authenticate each other's
identity and to ensure that IKE SAs are established with the intended party. Typically,
public keys are exchanged in messages containing an X.509v3 digital certificate.
As an alternative to setting up digital certificates, you can configure and exchange
public keys for IKE peers and use these keys for RSA signature authentication without
having to obtain a digital certificate. This method offers the simplicity and convenience
of using preshared key authentication without its inherent security risks.
With this method, you no longer need a digital certificate to do the following:
Configuration Tasks
To set up public keys and peer public keys without obtaining a digital certificate, you
use router commands to perform the following tasks:
220
IKE Authentication Using Public Keys Without Digital Certificates
Associate the router with its own public key
Enable a remote peer to display the router's public key
Learn the remote peer's public key
Display the router's public key by using the show ipsec key mypubkey rsa
command. You can use the output from this command to provide information
to the remote peer about the public key configured on the router. The remote
peer can then enter the router's public key on its own system.
Manually enter the public key for the remote peer with which you want to
establish IKE SAs by using the ipsec key pubkey-chain rsa and key-string
commands.
Display the remote peer's public key by using the show ipsec key pubkey-chain
rsa command.
Advertisement
Table of Contents
Need help?
Do you have a question about the IP SERVICES - CONFIGURATION GUIDE V 11.1.X and is the answer not in the manual?