Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
Generating Public/Private Key Pairs
Obtaining a Root CA Certificate
208
The router requires at least one root CA certificate to send to IKE peers and also to
verify that a peer's certificate is genuine.
Obtaining a public key certificate
3.
The router requires at least one public key certificate, which binds the router identity
to its public key. The CA verifies the identity represented on the certificate and then
signs the certificate. The router sends the certificate to IKE peers during negotiations
to advertise the router public key.
Authenticating the peer
4.
As part of IKE negotiations, the router receives its peer's digital signature in a message
exchange. The router must verify the digital signature by using the peer's public key.
The public key is contained in the peer's certificate, which often is received during the
IKE negotiation. To ensure that the peer certificate is valid, the router verifies its digital
signature by using the CA public key contained in the root CA certificate. The router
and its IKE peer require at least one common trusted root CA for authentication to
work.
Generally, only Step 4 is required each time a phase 1 negotiation happens. The first three
steps are required only if keys are compromised or router certificates require renewal.
The ERX router needs at least one valid pair of public/private keys whenever it uses any
of the public key methods for authenticating an IKE peer. The ERX router can generate
its own public/private key pairs. The public/private key pair supports the RSA standard
(1024 or 2048 bits).
The private key is used only by the ERX router. It is never exchanged with any other nodes.
It is used to place a digital signature on IKE authentication messages. When generated,
it is securely stored internally to the ERX router in nonvolatile storage (NVS). Access to
the private key is never allowed, not even to a system administrator or a network
management system. Private key storage includes protection mechanisms to prevent
improper private key usage, including encryption with 3DES using a unique internally
generated key. The key is also tied to SRP-specific data to prevent swapping flash disks
between routers.
The public key is used in the generation of the router certificate request, which is sent to
a CA. Based on the certificate request, the CA generates a public key certificate for the
E Series router.
The router public/private key pair is a global system attribute. It does not matter how
many IPSec Service modules (ISMs) exist in the router; only one set of keys is available
at any given moment. The private/public key pair applies across all virtual routers and is
persistent across reloads and booting to factory defaults.
The ERX router enables the use of either a manual or automatic method to download
the root CA's self-signed certificate. The standards supported for obtaining root CAs are
X.509v3, base64, and basic-encoding-rules (BER)–encoded certificates.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
