1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.2.X IP SERVICES
  6. Configuration manual

Configuring Digital Certificates; Ike Authentication With Digital Certificates; Signature Authentication - Juniper JUNOSE 11.2.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

IKE Authentication with Digital Certificates

Signature Authentication

Copyright © 2010, Juniper Networks, Inc.
RFC 2409—The Internet Key Exchange (IKE) (November 1998)
RFC 2459—Internet X.509 Public Key Infrastructure Certificate and CRL Profile (January
1999)
RFC 2986—PKCS #10: Certification Request Syntax Specification Version 1.7 (November
2000)
RFC 3280—Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile (April 2002)
RFC 3447—Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1 (February 2003)
For more information about IPSec and IKE, see "Configuring IPSec" on page 119.
As part of the IKE protocol, one security gateway needs to authenticate another security
gateway to make sure that IKE SAs are established with the intended party. The router
supports two authentication methods:
Digital certificates (using RSA algorithms)
For digital certificate authentication, an initiator signs message interchange data using
his private key, and a responder uses the initiator's public key to verify the signature.
Typically, the public key is exchanged via messages containing an X.509v3 certificate.
This certificate provides a level of assurance that a peer's identity—as represented in
the certificate—is associated with a particular public key. E Series Broadband Services
Routers provide both an offline (manual) and an online (automatic) process when
using digital certificates.
Preshared keys
With preshared key authentication, the same secret must be configured on both security
gateways before the gateways can authenticate each other.
The following sections provide information about digital certificates. For information
about using preshared keys, see "IKE Overview" on page 134.
You can also use public keys for RSA authentication without having to obtain a digital
certificate. For details, see "IKE Authentication Using Public Keys Without Digital
Certificates" on page 212 .
The following are key steps for using public key cryptography to authenticate a peer.
These steps are described in more detail in the following sections.
Generating a private/public key pair
1.
Before the router can place a digital signature on messages, it requires a private key
to sign, and requires a public key so that message receivers can verify the signature.
Obtaining a root CA certificate
2.
Chapter 8: Configuring Digital Certificates
207

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.2.X IP SERVICES

Related Content for Juniper JUNOSE 11.2.X IP SERVICES

This manual is also suitable for:

Junose 11.2.x

Table of Contents