Pki Default Settings Configuration In Nsm Overview; Configuring X509 Certificates; Configuring Revocation - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide

PKI Default Settings Configuration in NSM Overview

Configuring X509 Certificates

Configuring Revocation

Table 68: Revocation Settings
Revocation Settings
X.509 Certificate Path Validation Level
Revocation Check
276
You can configure default PKI settings for each security device to define how that device
handles certificates. When configuring a VPN that includes the device, you can use these
default settings.
In the device configuration tree, select VPN Settings > Defaults > PKI Settings to display
the default PKI settings. First, configure the source interface for PKI traffic. The source
interface is the interface on the device that sends the certificate request to the CA. The
topic includes the following:
Configuring X509 Certificates on page 276
Configuring Revocation on page 276
Configuring Simple Certificate Enrollment Protocol on page 277
Configure the following X509 certificate settings:
Email Destination for the PKCS#10 File—Provide the e-mail address that receives the
PKCS#10, which defines the syntax for certification requests.
Select raw common name—Select this option to use only one CN field in the certificate
CN in SCEP certificate request. Some certificate authorities support a single CN filed
in the certificate DN, when responding to a SCEP request. When enabled, the CN field
contains the value of certificate name when you set DN.
Revocation settings define how and when certificates are revoked. You might want to
revoke a certificate that you suspect has been compromised or when a certificate holder
leaves a company. You can revoke the certificate manually, or use certificate revocation
list (CRL) or Online Certificate Status Protocol (OCSP) to automatically check for revoked
certificates. Table 68 on page 276 describes the revocation settings.
Your Action
X509 contains a specification for a certificate that binds an entity's distinguished
name to its public key through the use of a digital signature.
Full—Use full validation to validate the certificate path back to the root.
Partial—Use partial validation to validate the certificate path only part of the way
to the root.
Select or clear revocation checking for certificates:
Check for revocation—Select this option to enable revocation checking.
Do not check for revocation—Select this option to disable revocation checking.
Copyright © 2010, Juniper Networks, Inc.