Table 15 on page 219 presents how the CRL setting affects the outcome of IKE phase
1 negotiations. It lists common problem conditions such as ERX Cert revoked.
Table 15: Outcome of IKE Phase 1 Negotiations
CRL Setting
Required
Optional
Ignored
Condition
Succeed
Succeed
Succeed
CRL OK
Fail
Succeed
Succeed
CRL expired
Fail
Succeed
Succeed
Missing CRL
Fail
Fail
Succeed
Peer Cert revoked
Fail
Fail
Succeed
ERX Cert revoked
File Extensions
Table 16 on page 219 describes the file extensions that the ERX routers use for digital
certificates that are created by the offline process.
During the online digital certificate process, the certificate files are kept in NVS in
hidden areas and are not visible to users (the files do not appear when you enter a
dir
shell command). Use the
show
commands to display information for the online
certificate files. The router's private keys are similarly hidden from users.
Table 16: File Extensions (Offline Configuration)
Description
File Extension
Used for certificate request files that are generated on the ERX router and
taken to CAs for obtaining a certificate.
.crq
Used for public certificate files. The public certificates for root CAs and the
router public certificates are copied to the ERX router. They are automatically
recognized as belonging to the ERX router or CA by certificate subject name
and issuer name (in a CA they are the same). The ERX router supports multiple
CAs.
.cer
Used for certificate revocation lists that are obtained offline from CAs and
copied to the ERX router. CRLs indicate which certificates from a particular
CA are revoked.
.crl
Certificate Chains
In a basic CA model, there is a single CA from which the ERX router obtains the root
CA certificates and the router's public key certificates. The E Series router also
IKE Authentication with Digital Certificates
■
219
Chapter 8: Configuring Digital Certificates
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...