Configuring Ca Objects; Configuring Crl Objects - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Configuring CA Objects

Configuring CRL Objects

Related
Documentation
218
CA (or use your own internal CA, if available) to obtain a local device certificate file (a
.cer file).
You must install this local certificate file on the managed device using NSM before you
can use certificates to validate that device in your VPN. Because the local certificate is
device specific, you must use a unique local certificate for each device.
You can also use SCEP to configure the device to automatically obtain local certificate
(and a CA certificate) from the CA directly. For details on local certificates, see "Local
Certificate Validation of ScreenOS Devices Overview" on page 268.
A CA certificate validates the identity of the CA that issued the local device certificate.
You can obtain a CA certificate file (.cer) from the CA that issued the local certification,
and then use this file to create a CA object.
You must install this CA certificate on the managed device using NSM before you can
use the certificate to validate that device in your VPN. Because the CA certificate is an
object, however, you can use the same CA for multiple devices, as long as those devices
use local certificates that were issued by that CA.
You can also use SCEP to configure the device to automatically obtain a CA certificate
at the same time it receives the local certificate. For details on configuring a certificate
authority object, see the Network and Security Manager Administration Guide.
A certificate revocation list (CRL) identifies invalid certificates. You can obtain a CRL file
(.crl) from the CA that issued the local certification and CA certificate for the device, and
then use this file to create a CRL object.
You must install the CRL on the managed device using NSM before you can use a CRL
to check for revoked certificates in your VPN. Because the CRL is an object, however, you
can use the same CRL for multiple devices, as long as those devices use local and CA
certificates that were issued by that CA.
After you have received a CRL list, you can use the CRL object in your VPN. For details on
configuring a certificate revocation list object, see the Network and Security Manager
Administration Guide.
Optional VPN Support Using Authentication Servers Overview on page 217
Preparing Optional VPN Components Overview on page 216
Copyright © 2010, Juniper Networks, Inc.