Manual Installation Of Ca Certificates In Nsm; Configuring Certificate Revocation Lists (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

Manual Installation of CA Certificates in NSM

Related
Documentation

Configuring Certificate Revocation Lists (NSM Procedure)

274
If you did not use SCEP, you must manually contact your CA, obtain a CA certificate, and
create a certificate authority Object. Then, add the CA certificate to the device and install
it on the device:
Open the device configuration and select VPN Settings > CA Certificates. Click the
1.
Add icon and add the certificate authority object. Close the device configuration.
Right-click the device and select Certificates > Update CA Certificate. This directive
2.
uses the information in the management system to update the information on the
physical system. A Job Manager window appears to display job information and job
progress.
NOTE: For devices running ScreenOS 5.x, you must install a TFTP server
on the NSM device server. The device server automatically uses TFTP to
load the CA certificate onto your managed devices. For more information
about creating a TFTP server on the device server, see the Network and
Security Manager Installation Guide.
When the job is complete, close the Job Manager window.
3.
For devices running ScreenOS 5.1 and later, the device server automatically uses Secure
Server Protocol (SSP) (the protocol used for the management connection) to load the
CA certificate.
To view CA certificate, open the device configuration and select VPN Settings > CA
Certificates.
Configuring Certificate Revocation Lists (NSM Procedure) on page 274
Imported Certificates in NSM Overview on page 275
Installing CA Certificates Using SCEP in NSM on page 273
A certificate revocation list (CRL) identifies invalid certificates. To view the available
CRLs on a device, in the device navigation tree, select VPN Settings > CRLs. To obtain
a CRL file (.crl), contact the CA that issued the local certification and CA certificate for
the device, then use this file to create a Certificate Revocation List object.
You must install the CRL on the managed device using NSM before you can use a CRL
to check for revoked certificates in your VPN. Because the CRL is an object, however, you
can use the same CRL for multiple devices, as long as those devices use local and CA
certificates that were issued by that CA. After you have received a CRL, you can use the
CRL object in your VPN. For details on configuring a certificate revocation list object, see
"Configuring CRL Objects" on page 218.
Copyright © 2010, Juniper Networks, Inc.