Table of Contents
Advertisement
JUNOSe 11.0.x IP Services Configuration Guide
7.
8.
9.
10.
11.
12.
authentication
crl
228
Configuring Digital Certificates Using the Online Method
host1(config-ca-identity)#crl ignored
(Optional) Specify the wait period between certificate request retries.
host1(config-ca-identity)#enrollment retry-period 5
(Optional) Specify the absolute time limit on enrollment.
host1(config-ca-identity)#enrollment retry-limit 60
(Optional) Specify the URL of your network's HTTP proxy server.
host1(config-ca-identity)#root proxy url http://192.168.5.45
host1(config-ca-identity)#exit
Retrieve the CA certificate.
host1(config)#ipsec ca authenticate trustedca1
Enroll with the CA and retrieve the router's certificate from the CA.
host1(config)#ipsec ca enroll trustedca1 My498pWd
(Optional) To delete RSA key pairs, use the ipsec key zeroize command.
Use to specify the authentication method that the router uses. For digital
certificates, the method is set to RSA signature.
Example
host1(config-ike-policy)#authentication rsa-sig
Use the no version to restore the default, preshared keys.
See authentication.
Use to control how the router handles certificate revocation lists (CRLs) during
negotiation of online IKE phase 1 signature authentication. Specify one of the
following keywords:
ignored Allows negotiations to succeed even if a CRL is invalid or the peer's
certificate appears in the CRL; this is the most lenient setting
optional If the router finds a valid CRL, it uses it; this is the default setting
required Requires a valid CRL; either the certificates that belong to the E
Series router or the peer must not appear in the CRL; this is the strictest
setting
Example
host1(config-ca-identity)#crl ignored
Advertisement
Table of Contents
