supports CA hierarchies, which consist of a top-level root CA and one or more sub-CAs
(also called issuing CAs).
In a CA hierarchy, the router obtains its public key certificates and the CA certificate
from a sub-CA. The sub-CA's certificate is signed by the root CA.
This process creates a certificate chain of trust in which the E Series router must
verify all certificates in the chain until the router reaches a trusted CA, such as the
root CA. For example, if the router receives traffic from a peer with a certificate
signed by a sub-CA, the router first verifies the sub-CA's signature on the peer's
certificate, then verifies the sub-CA's certificate, which is signed by the trusted root
CA.
The ERX router supports CA hierarchies consisting of the root CA and one level of
sub-CAs. When using a CA hierarchy, the router authenticates and enrolls for its
public certificate with the sub-CA. When you use the
show ipsec ike-certificates
command, the root CA and sub-CA certificates are listed as CA certificates, and the
router's public certificates are signed by the sub-CA.
IKE Authentication Using Public Keys Without Digital Certificates
During IKE negotiations, peers exchange public keys to authenticate each other's
identity and to ensure that IKE SAs are established with the intended party. Typically,
public keys are exchanged in messages containing an X.509v3 digital certificate.
As an alternative to setting up digital certificates, you can configure and exchange
public keys for IKE peers and use these keys for RSA signature authentication
without
having to obtain a digital certificate. This method offers the simplicity and convenience
of using preshared key authentication without its inherent security risks.
With this method, you no longer need a digital certificate to do the following:
■
Associate the router with its own public key
■
Enable a remote peer to display the router's public key
■
Learn the remote peer's public key
Configuration Tasks
To set up public keys and peer public keys without obtaining a digital certificate, you
use router commands to perform the following tasks:
■
Display the router's public key by using the
show ipsec key mypubkey rsa
command. You can use the output from this command to provide information
to the remote peer about the public key configured on the router. The remote
peer can then enter the router's public key on its own system.
■
Manually enter the public key for the remote peer with which you want to
establish IKE SAs by using the
ipsec key pubkey-chain rsa
and
key-string
commands.
■
Display the remote peer's public key by using the
show ipsec key pubkey-chain
rsa
command.
220
■
IKE Authentication Using Public Keys Without Digital Certificates
JUNOSe 11.1.x IP Services Configuration Guide
Summary of Contents for IP SERVICES - CONFIGURATION GUIDE V 11.1.X
Page 6: ...vi...
Page 8: ...viii JUNOSe 11 1 x IP Services Configuration Guide...
Page 18: ...xviii Table of Contents JUNOSe 11 1 x IP Services Configuration Guide...
Page 20: ...xx List of Figures JUNOSe 11 1 x IP Services Configuration Guide...
Page 22: ...xxii List of Tables JUNOSe 11 1 x IP Services Configuration Guide...
Page 28: ...2 Chapters JUNOSe 11 1 x IP Services Configuration Guide...
Page 138: ...112 Monitoring J Flow Statistics JUNOSe 11 1 x IP Services Configuration Guide...
Page 286: ...260 Monitoring IP Tunnels JUNOSe 11 1 x IP Services Configuration Guide...
Page 312: ...286 Monitoring IP Reassembly JUNOSe 11 1 x IP Services Configuration Guide...
Page 357: ...Part 2 Index Index on page 333 Index 331...
Page 358: ...332 Index JUNOSe 11 1 x IP Services Configuration Guide...