Table of Contents
Advertisement
Table 15 on page 219 presents how the CRL setting affects the outcome of IKE phase
1 negotiations. It lists common problem conditions such as ERX Cert revoked.
Table 15: Outcome of IKE Phase 1 Negotiations
File Extensions
Table 16 on page 219 describes the file extensions that the ERX routers use for digital
certificates that are created by the offline process.
During the online digital certificate process, the certificate files are kept in NVS in
hidden areas and are not visible to users (the files do not appear when you enter a
dir shell command). Use the show commands to display information for the online
certificate files. The router's private keys are similarly hidden from users.
Table 16: File Extensions (Offline Configuration)
Certificate Chains
In a basic CA model, there is a single CA from which the ERX router obtains the root
CA certificates and the router's public key certificates. The E Series router also
Condition
Ignored
CRL OK
Succeed
CRL expired
Succeed
Missing CRL
Succeed
Peer Cert revoked
Succeed
ERX Cert revoked
Succeed
File Extension
Description
.crq
Used for certificate request files that are generated on the ERX router and
taken to CAs for obtaining a certificate.
.cer
Used for public certificate files. The public certificates for root CAs and the
router public certificates are copied to the ERX router. They are automatically
recognized as belonging to the ERX router or CA by certificate subject name
and issuer name (in a CA they are the same). The ERX router supports multiple
CAs.
.crl
Used for certificate revocation lists that are obtained offline from CAs and
copied to the ERX router. CRLs indicate which certificates from a particular
CA are revoked.
Chapter 8: Configuring Digital Certificates
CRL Setting
Optional
Required
Succeed
Succeed
Succeed
Fail
Succeed
Fail
Fail
Fail
Fail
Fail
IKE Authentication with Digital Certificates
219
Advertisement
Table of Contents
