Table of Contents
Advertisement
JunosE 11.3.x IP Services Configuration Guide
IKE Authentication Using Public Keys Without Digital Certificates
Configuration Tasks
Public Key Format
212
This process creates a certificate chain of trust in which the E Series router must verify
all certificates in the chain until the router reaches a trusted CA, such as the root CA. For
example, if the router receives traffic from a peer with a certificate signed by a sub-CA,
the router first verifies the sub-CA's signature on the peer's certificate, then verifies the
sub-CA's certificate, which is signed by the trusted root CA.
The ERX router supports CA hierarchies consisting of the root CA and one level of sub-CAs.
When using a CA hierarchy, the router authenticates and enrolls for its public certificate
with the sub-CA. When you use the show ipsec ike-certificates command, the root CA
and sub-CA certificates are listed as CA certificates, and the router's public certificates
are signed by the sub-CA.
During IKE negotiations, peers exchange public keys to authenticate each other's identity
and to ensure that IKE SAs are established with the intended party. Typically, public keys
are exchanged in messages containing an X.509v3 digital certificate.
As an alternative to setting up digital certificates, you can configure and exchange public
keys for IKE peers and use these keys for RSA signature authentication without having
to obtain a digital certificate. This method offers the simplicity and convenience of using
preshared key authentication without its inherent security risks.
With this method, you no longer need a digital certificate to do the following:
Associate the router with its own public key
Enable a remote peer to display the router's public key
Learn the remote peer's public key
To set up public keys and peer public keys without obtaining a digital certificate, you use
router commands to perform the following tasks:
Display the router's public key by using the show ipsec key mypubkey rsa command.
You can use the output from this command to provide information to the remote peer
about the public key configured on the router. The remote peer can then enter the
router's public key on its own system.
Manually enter the public key for the remote peer with which you want to establish
IKE SAs by using the ipsec key pubkey-chain rsa and key-string commands.
Display the remote peer's public key by using the show ipsec key pubkey-chain rsa
command.
For instructions on setting up peer public keys without a digital certificate, see "Configuring
Peer Public Keys Without Digital Certificates" on page 224 .
RSA encryption and authentication require the use of a public key on both the ERX router
and on the remote peer with which the router seeks to establish IKE SAs.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
