Local Certificate Validation Of Screenos Devices Overview - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Local Certificate Validation of ScreenOS Devices Overview

Table 66: Local Certificate Validation
Local Certificate Types
Obtain a local certificate signed
by a CA
Use the self-signed certificate
Related
Documentation
268
configure a Generate Certificate Request to obtain it. However, if you delete the self-signed
certificate for a device and do not want to reboot the device to obtain a new certificate,
you can use the Generate Certificate Request procedure to prompt the device to
regenerate the certificate. For steps to obtain a self-signed certificate, see "Generating
Certificate Requests to ScreenOS Devices (NSM Procedure)" on page 269.
A self-signed certificate that was automatically generated by the device at startup has
a certificate status of system. If you use the Generate Certificate Request to obtain a new
self-signed certificate, the self-signed certificate has a certificate status of active.
Local Certificate Validation of ScreenOS Devices Overview on page 268
Generating Certificate Requests to ScreenOS Devices (NSM Procedure) on page 269
Certificate Authentication Support in NSM Overview on page 267
A local certificate validates the identity of the security device. Each security device that
performs authentication (in a VPN, for SSL management, for device administrators)
must have a local certificate installed on the device. To view the available local certificates
on a device, in the device navigation tree, select VPN Settings > Local Certificates.
To get a local certificate for a device, you must prompt the device to generate a certificate
request (includes public/private key pair request) using the Generate Certificate Request
directive. Depending on how you want to use the local certificate and the version of
ScreenOS the device is running, you can configure a CA-signed local certificate or a
self-signed local certificate as described in Table 66 on page 268.
Description
Use for devices running ScreenOS 5.0 or later, and for devices running ScreenOS 5.1 and
later that need to use a local certificate for authentication in an IKE VPN. When the device
receives the prompt for a certificate request, it processes the request and returns the
encrypted public key for the device. Using this encrypted public key, you can contact an
independent CA (or use your own internal CA, if available) to obtain a local device certificate
file (a .cer file). You must install this local certificate file on the managed device using NSM
before you can use certificates to validate that device. Because the local certificate is
device-specific, you must use a unique local certificate for each device.
Use for devices running ScreenOS 5.1 and later that do not need to use the certificate for
authentication in an IKE VPN. When configuring the request, select Create Self-Signed
Certificate. When the device receives the certificate request, it processes the request and
automatically adds the certificate to the device. Because this certificate is both a local and
CA certificate, you do not need to contact a CA.
For CA-signed local certificates, you can also use SCEP to configure the device to
automatically obtain a local certificate (and a CA certificate) from the CA directly.
Generating Certificate Requests to ScreenOS Devices (NSM Procedure) on page 269
Copyright © 2010, Juniper Networks, Inc.