When you request a certificate, the security device generates a key pair. The public key becomes incorporated in the request itself and, eventually, in the digitally signed local certificate you receive from the CA.
In the following example, the security administrator is making a certificate request for Michael Zhang in the Development department at Juniper Networks in Sunnyvale, California. The certificate is going to be used for a security device at IP address 10.10.5.44. The administrator instructs the security device to send the request through email to the security administrator at[email protected].The security administrator then copies and pastes the request in the certificate request text field at the CA’s certificate enrollment site. After the enrollment process is complete, the CA usually sends the certificates through email back to the security administrator.
NOTE: A special certificate identity string, called domain-component, is available only through the CLI. Devices can use this value in certificates for IPsec logon to VPN gateways. For example, the device could use this as a Group IKE ID, accepting ASN1_DN type IKE identities containing
"DC=Engineering, DC=NewYork".
Before generating a certificate request, make sure that you have set the system clock and assigned a hostname and domain name to the security device. (If the security device is in an NSRP cluster, replace the hostname with a cluster name. For more information, see Creating an NSRP Cluster.)
WebUI
1. Certificate Generation
Objects > Certificates > New: Enter the following, then clickGenerate:
Name: Michael Zhang Phone: 408-730-6000
Unit/Department: Development Organization: Juniper Networks County/Locality: Sunnyvale
E-mail: [email protected] IP Address: 10.10.5.44 Write to file: (select) RSA: (select)
Create new key pair of 1024 length: (select)
The device generates a PKCS #10 file and prompts you to send the file through email, save the file to disk, or automatically enroll through the Simple Certificate Enrollment Protocol (SCEP).
Select theE-mail tooption, [email protected], then clickOK.
NOTE: Some CAs do not support an email address in a certificate. If you do not include an email address in the local certificate request, you cannot use an email address as the local IKE ID when configuring the security device as a dynamic peer. Instead, you can use a fully qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. By default the security device sends its hostname.domainname. If you do not specify a local ID for a dynamic peer, enter the
hostname.domainname of that peer on the device at the other end of the IPsec tunnel in the peer ID field.
The value 1024 indicates the bit length of the key pair. If you are using the certificate for SSL (see Secure Sockets Layer), be sure to use a bit length that your browser also supports.
Using the email address assumes that you have already configured the IP address for your SMTP server:set admin mail server-name{ ip_addr | dom_name }.
2. Certificate Request
The security administrator opens the file and copies its contents, taking care to copy the entire text but not any blank spaces before or after the text. (Start at “---BEGIN CERTIFICATE REQUEST---”, and end at “---END CERTIFICATE REQUEST---”.) The security administrator then follows the certificate request directions at the CA’s website, pasting the PKCS #10 file in the appropriate field when required.
3. Certificate Retrieval
When the security administrator receives the certificate from the CA through email, the administrator forwards it to you. Copy it to a text file, and save it to your workstation (to be loaded to the security device later through the WebUI) or to a TFTP server (to be loaded later through the CLI).
CLI
1. Certificate Generation
set pki x509 dn country-name US
set pki x509 dn email [email protected] set pki x509 dn ip 10.10.5.44
set pki x509 dn local-name “Santa Clara” set pki x509 dn name “ Michael Zhang” set pki x509 dn org-name “ Juniper Networks” set pki x509 dn org-unit-name Development set pki x509 phone 408-730-6000
set pki x509 dn state-name CA
set pki x509 default send-to [email protected] exec pki rsa new-key 1024
NOTE: Using the email address assumes that you have already configured the IP address for your SMTP server:set admin mail server-name{ ip_addr | dom_name }.
The certificate request is sent through email to [email protected].
2. Certificate Request
The security administrator opens the file and copies its contents, taking care to copy the entire text but not any blank spaces before or after the text. (Start at “---BEGIN CERTIFICATE REQUEST---”, and end at “ ---END CERTIFICATE REQUEST---”.) The security administrator then follows the certificate request directions at the CA’s website, pasting the PKCS #10 file in the appropriate field when required.
3. Certificate Retrieval
When the security administrator receives the certificate from the CA through email, the administrator forwards it to you. Copy it to a text file, and save it to your workstation (to be loaded to the security device later through the WebUI) or to a TFTP server (to be loaded later through the CLI).