Configuring Digital Certificates Using The Online Method - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP SERVICES CONFIGURATION GUIDE 2010-10-01 Configuration Manual

Configuring Digital Certificates Using the Online Method

Copyright © 2010, Juniper Networks, Inc.
To use the online configuration method to set up digital certificates on the router:
Generate the RSA key pair.
1.
host1(config)#ipsec key generate rsa 2048
Please wait.................................................
..........................
IPsec Generate Keys complete
In your IKE policy, set the authentication method to RSA signatures.
2.
host1(config)#ipsec ike-policy-rule 1
host1(config-ike-policy)#authentication rsa-sig
host1(config-ike-policy)#exit
NOTE: For more information about setting up IKE policies, see "Defining
an IKE Policy" on page 148 in "Configuring IPSec" on page 119.
Enter IPSec CA Identity Configuration mode, and specify the name of the certificate
3.
authority.
host1(config)#ipsec ca identity trustedca1
host1(config-ca-identity)#
Specify the name of the CA issuer.
4.
host1(config-ca-identity)#issuer-identifier BetaSecurityCorp
Specify the URL of the SCEP server from which the CA certificates and the router's
5.
public certificates is retrieved.
host1(config-ca-identity)#enrollment url http://192.168.99.105/scepurl
(Optional) Set the sensitivity of how the router handles CRLs.
6.
host1(config-ca-identity)#crl ignored
(Optional) Specify the wait period between certificate request retries.
7.
host1(config-ca-identity)#enrollment retry-period 5
(Optional) Specify the absolute time limit on enrollment.
8.
host1(config-ca-identity)#enrollment retry-limit 60
(Optional) Specify the URL of your network's HTTP proxy server.
9.
host1(config-ca-identity)#root proxy url http://192.168.5.45
host1(config-ca-identity)#exit
Retrieve the CA certificate.
10.
host1(config)#ipsec ca authenticate trustedca1
Enroll with the CA and retrieve the router's certificate from the CA.
11.
Chapter 8: Configuring Digital Certificates
219