Obtaining a Public Key Certificate
Copyright © 2010, Juniper Networks, Inc.
In the manual method, an operator obtains the root CA certificate, typically through a
Web browser, and copies the certificate file to the E Series router so that the router can
use it as part of IKE negotiations.
In the automatic method, the router uses SCEP and HTTP to authenticate with the CA
and retrieve the certificate. The requested root CA certificate is automatically downloaded
to the router.
NOTE: You cannot view certificate files by their filenames if the files were
created by online enrollment. However, the certificate information will appear
in the output for show commands.
After the public key is generated, the router must obtain a public key certificate from a
CA, a process called certificate enrollment. The procedure to obtain public keys depends
on whether the offline or online digital certificate process is being used.
The standards supported for certificate enrollment are PKCS #10 certificate requests,
PKCS #7 responses, and X.509v3 certificates. For manual enrollment, certificates are
encoded in base64 (MIME) so that the files are easily transferred through cut-and-paste
operations and e-mail.
Offline Certificate Enrollment
Offline certificate enrollment works as follows:
An operator generates a certificate request by supplying identity information.
1.
The ERX router creates a certificate request file and makes it available to the operator.
2.
The operator supplies the certificate request file to a CA for approval, typically by
3.
copying and pasting the file to a Web page.
The CA approves the request and generates a certificate.
4.
The operator copies the certificate file onto the ERX router so that it can be used for
5.
IKE negotiations.
Online Certificate Enrollment
Online certificate enrollment works as follows:
NOTE: The ERX router must have a root CA certificate for the specified CA
before online certificate enrollment.
Chapter 8: Configuring Digital Certificates
209
Need help?
Do you have a question about the JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 and is the answer not in the manual?