Certificate Authentication Support In Nsm Overview; Self-Signed Certificates In Nsm Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Certificate Authentication Support in NSM Overview

Related
Documentation

Self-Signed Certificates in NSM Overview

Copyright © 2010, Juniper Networks, Inc.
Every security device supports the use of certificates to authenticate itself to outside
parties. A digital certificate is an electronic means for verifying identity through a trusted
third party, known as a certificate authority (CA). The CA is a trusted partner of the identity
sending the digital certificate as well as the identity receiving it. To authenticate identity,
the CA issues certificates, often with a set time limit. If you do not renew the certificate
before the time limit is reached, the CA considers the certificate inactive. For example, a
VPN member attempting to use an expired certificate is immediately detected (and
rejected) by the CA.
You can use certificates to authenticate a VPN member (external device or security
device), RAS users for a group IKE ID, or SSL management of a security device. You must
obtain and install the following certificates on the managed device before you can use
certificates to authenticate the device:
"Local Certificate Validation of ScreenOS Devices Overview" on page 268—A local
certificate authenticates the identity of the device on which it is installed.
"Certificate Authority Configuration in NSM Overview" on page 272—A CA certificate
authenticates a third party.
"Configuring Certificate Revocation Lists (NSM Procedure)" on page 274 (Optional)—A
certificate revocation list (CRL) ensures that expired certificates are not accepted.
NOTE: A CRL is optional; you do not need to obtain and install a CRL on
the security device to use certificates.
When you import a security device that already has a local certificate, CA, and CRL
installed, these certificates and lists are automatically imported as part of the device
configuration when you add that device to the NSM system. However, to reuse the CA
and CRL in other security devices, you must load the CA and CRL file directly into the
management system (you cannot reuse a local certificate on another device). For
information, see "Imported Certificates in NSM Overview" on page 275.
Self-Signed Certificates in NSM Overview on page 267
Local Certificate Validation of ScreenOS Devices Overview on page 268
Configuring Crypto-Policy Overview on page 266
For devices running ScreenOS 5.1 and later, a self-signed certificate is automatically
created each time the device powers on; you can use this self-signed certificate to
authenticate the device for SSL management. Because this self-signed certificate is not
authenticated by an external, third-party certificate authority, you cannot use it to
authenticate a VPN member in an IKE VPN. A device running ScreenOS 5.1 and later
automatically creates the self-signed certificate upon reboot, so you do not need to
Chapter 8: Configuring VPNs
267