To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:
• Obtain a certificate authority (CA) certificate from which you intend to obtain a personal certificate, and then load the CA certificate in the security device.
• Obtain a local certificate (also known as a personal certificate) from the CA whose CA certificate you have previously loaded, and then load the local certificate in the security device. You can perform this task manually, or automatically using Simple Certificate Enrollment Protocol (SCEP).
Because the manual method of requesting local certificates has steps requiring you to copy information from one certificate to another, it can be a somewhat lengthy process. To bypass these steps, you can use the automatic method.
Note that, before using SCEP, you must perform the following tasks:
• Configure and enable DNS. (See Domain Name System Support.)
• Set the system clock. (See System Clock.)
• Assign a hostname and domain name to the security device. (If the security device is in an NSRP cluster, replace the hostname with a cluster name. For more information, seeCreating an NSRP Cluster.)
In this example, you use the automatic method to request a local certificate. You use SCEP with the Verisign CA. You set the following CA settings:
• Full certificate path validation
NOTE: The Common Gateway Interface (CGI) is a standard way for a Web server to pass a user request to an application program and to receive data back. CGI is part of the HyperText Transfer Protocol (HTTP). You must specify an RA CGI path even if the RA does not exist. If the RA does not exist, use the value specified for the CA CGI.
• CA CGI: http://ipsec.verisign.com/cgi-bin/pkiclient.exe
• Automatic integrity confirmation of CA certificates
• CA ID, which identifies a SCEP server, where Verisign SCEP server uses a domain name, such as juniper.net or a domain set up by Verisign for your company
• Challenge password
• Automatic certificate polling every 30 minutes (the default is no polling)
You then generate an RSA key pair, specifying a key length of 1024 bits, and initiate the SCEP operation to request a local certificate from the Verisign CA with the above CA settings.
When using the WebUI, you refer to CA certificates by name. When using the CLI, you refer to CA certificates by index (IDX) number. In this example, the IDX number for the Verisign CA is “1.” To see the IDX numbers for CA certificates, use the following command: get pki x509 list ca-cert. The output displays an IDX number and an ID number for each certificate. Note the IDX number and use that when referencing the CA certificate in commands.
WebUI
1. CA Server Settings
Objects > Certificates > Show CA > Server Settings (for Verisign): Enter the following, then clickOK:
X509 certificate path validation level: Full SCEP Settings:
RA CGI: http://ipsec.verisign.com/cgi-bin/pkiclient.exe CA CGI: http://ipsec.verisign.com/cgi-bin/pkiclient.exe
> Advanced: Enter the following advanced settings, then clickReturnto return to the basic CA Server Settings configuration page:
Polling Interval: 30
Certificate Authentication: Auto Certificate Renew: 14
2. Local Certificate Request
Objects > Certificates > New: Enter the following, then clickGenerate:
Name: Michael Zhang Phone: 408-730-6000
State: CA Country: US
Email: [email protected] IP Address: 10.10.5.44 Key Pair Information
RSA: (select)
Create new key pair of1024length.
NOTE: The value 1024 indicates the bit length of the key pair. If you are using the certificate for SSL, be sure to use a bit length that your browser also supports.
Issue theget pki x509 pkcsCLI command to have the security device generate a PKCS #10 file and then, do one of the following:
• Send the PKCS #10 certificate request file to an email address
• Save it to disk
• Automatically enroll by sending the file to a CA that supports the Simple Certificate Enrollment Protocol (SCEP)
3. Automatic Enrollment
Select theAutomatically enroll tooption, select theExisting CA server settings option, then selectVerisignfrom the drop-down list.
Contact Verisign to inform them of your certificate request. They must authorize the certificate request before you can download the certificate.
CLI
1. CA Server Settings
set pki authority 1 cert-path full
set pki authority 1 scep ca-cgi “http://ipsec.verisign.com/cgi-bin/pkiclient.exe” set pki authority 1 scep ra-cgi “http://ipsec.verisign.com/cgi-bin/pkiclient.exe” set pki authority 1 scep polling-int 30
set pki authority 1 scep renew-start 14
NOTE: The Common Gateway Interface (CGI) is a standard way for a Web server to pass a user request to an application program and to receive data back. CGI is part of the HyperText Transfer Protocol (HTTP). You must specify an RA CGI path even if the RA does not exist. If the RA does not exist, use the value specified for the CA CGI.
2. Local Certificate Request
set pki x509 dn country-name US
set pki x509 dn email [email protected] set pki x509 dn ip 10.10.5.44
set pki x509 dn name “Michael Zhang” set pki x509 dn org-name “Juniper Networks” set pki x509 dn org-unit-name Development set pki x509 phone 408-730-6000
set pki x509 dn state-name CA exec pki rsa new 1024
3. Automatic Enrollment
exec pki x509 scep 1
If this is the first certificate request from this CA, a prompt appears presenting a fingerprint value for the CA certificate. You must contact the CA to confirm that this is the correct CA certificate.
Contact Verisign to inform them of your certificate request. They must authorize the certificate request before you can download the certificate.