Creating Certificate Objects - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Configuring Optional VPN Components
Copyright © 2010, Juniper Networks, Inc.
details on creating routes, see the Network and Security Manager Configuring ScreenOS
and IDP Devices Guide.
In any type of VPN, you can also use three optional components:
Authentication Server
Certificate and Certificate Revocation List objects
PKI Defaults
The following sections explain how to configure each optional component; after you
have created the component, you can use it to create your VPN.
Creating Authentication Servers
To externally authenticate VPN traffic for XAuth and L2TP, you must create an
authentication server object to use in your VPN.

Creating Certificate Objects

To authenticate external devices, use a Group IKE ID to authenticate multiple RAS users,
or provide additional authentication for the security devices in your VPN, you must obtain
and install a digital certificate on each VPN member. A digital certificate is an electronic
means for verifying identity through the word of a trusted third party, known as a Certificate
Authority (CA). The CA is a trusted partner of the VPN member using the digital certificate
as well as the member receiving it.
The CA also issues certificates, often with a set time limit. If you do not renew the
certificate before the time limit is reached, the CA considers the certificate inactive. A
VPN member attempting to use an expired certificate is immediately detected (and
rejected) by the CA.
To use certificates in your VPN, you must configure:
Local Certificate—Use a local certificate for each security device that is a VPN member.
Certificate Authority (CA) Object—Use a CA object to obtain a local and CA certificate.
Certificate Revocation List (CRL) Object—Use a CRL object to ensure that expired
certificates are not accepted; a CRL is optional.
Configuring Local Certificates
A local certificate validates the identity of the security device in a VPN tunnel connection.
To get a local certificate for a device, you must prompt the device to generate a certificate
request (includes public/private key pair request) using the Generate Certificate Request
directive. In response, the device provides certificate request that includes the encrypted
public key for the device. Using this encrypted public key, you can contact a independent
CA (or use your own internal CA, if available) to obtain a local device certificate file (a
.cer file).
Chapter 12: Configuring VPNs
559