Configuring Simple Certificate Enrollment Protocol - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Table 68: Revocation Settings (continued)
Revocation Settings
Revocation Checking Method
Best Effort
CRL Settings
OCSP
Configuring Simple Certificate Enrollment Protocol
Table 69: Simple Certificate Enrollment Protocol
PKI settings
CA CGI
RA CGI
CA IDENT
Challenge
Copyright © 2010, Juniper Networks, Inc.
Your Action
Select the checking method to use if you enabled revocation checking. If you did not
enable revocation checking, these fields are unavailable.
CRL—Enables you to keep a local copy of the revoked certificates on the managed
device. This method enables you to check for revoked certificates quickly.
OSCP—Enables the device to access a remote OCSP server to check for revoked
certificates. Because the OCSP server dynamically updated their list of revoked
certificates, this method provides the most up-to-date information.
Select this option to check for revocation and accept the certificate if no revocation
information is found.
Configure the default setting for the certificate revocation list.
URL address—Provide the URL address of your internal LDAP server that provides
the CRL.
LDAP server—Provide the IP address of the external LDAP server that manages
the CRL.
Refresh Frequency—Select the frequency that the device contacts the CA to obtain
a new CRL list: Daily, Weekly, or Monthly.
Enable to dynamically check for revoked certificates.
Certificate Verification—Select the CA certificate used to verify the signature on
the OCSP response.
No revoke status check for CA delegated signing cert—Select this option if you do
not want the original CA certificate to verify the validity of the CA delegated OCSP
signing certificate. When enabled, the validity of the OCSP signing certificate is
verified by original CA certificate.
URL of OCSP Responder—Provide the URL address of the OCSP server.
Alternatively, you can use Simple Certificate Enrollment Protocol (SCEP) to get a local
certificate automatically. To enable SCEP for a managed device, configure the default
PKI settings for SCEP as described in Table 69 on page 277.
Your Action
Enter the URL address of the certificate authority certificate generation information.
Enter the URL address of the registration authority certificate generation information
that the security device contacts to request a CA certificate.
Enter the name of the certificate authority to confirm certificate ownership.
Enter the challenge word(s) sent to you by the CA that confirm the security device
identity to the CA.
Chapter 8: Configuring VPNs
277
Advertisement
Table of Contents
