Table of Contents
Advertisement
Using Certificate Authorities
Configuring Certificate Authorities
Copyright © 2010, Juniper Networks, Inc.
Alternatively, you can use SCEP to configure the device to automatically obtain a CA
certificate at the same time it receives the local certificate. For details, see the NSM
Online Help description of "Configuring Firewall/VPN Devices."
You must use obtain and install a CA certificate on each VPN member to authenticate
the local device certificates on your managed devices.
After you have obtained a CA Certificate file (.cer) from your CA, use this file to create a
Certificate Authority object. In Object Manager, select Certificate Authorities, then click
the Add icon to display the New CA Certificate dialog box. Enter a name for the CA
Certificate, then click Load CA certificate and load the appropriate .cer file. NSM uses
the information in the .cer file to automatically complete the Subject Name, Issued By,
and Expired On fields.
Complete the remaining settings:
X.509 Certificate Path Validation Level—X509 contains a specification for a certificate
which binds an entity's distinguished name to its public key through the use of a digital
signature.
Full. Use full validation to validate the certificate path back to the root.
Partial. Use partial validation to validate the certificate path only part of the way to
the root.
Revocation Check
Check for revocation. Select this option to enable revocation checking.
Do not check for revocation. Select this option to disable revocation checking.
Revocation Checking Method—If you enabled revocation checking, you can select the
checking method to use. If you did not enable revocation checking, these fields are
unavailable.
CRL. Use a Certificate Revocation List when you want to keep a local copy of the
revoked certificates on the managed device. This method enables the device to
check for revoked certificates quickly; to accept the certificate if no revocation
information is found, also enable Best Effort.
OCSP. Use the Online Certificate Status Protocol when you want the managed
device to access a remote OCSP server to check for revoked certificates. Because
the OCSP server dynamically updates its list of revoked certificates, this method
provides the most up-to-date information; to accept the certificate if no revocation
information is found, also enable Best Effort.
Best Effort. Enable this option to check for revocation accept the certificate if no
revocation information is found.
CRL Settings—Configure the default setting for the Certificate Revocation List.
Chapter 8: Configuring Objects
417
Advertisement
Table of Contents
