The following are steps to configure certificate enrollment:
Generate a key.
admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsa
Generate a certificate request.
admin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-
rdn "C=US,ST=CA,CN=7750" file 7750_req.cs
Send the certificate request to CA-1 to sign and get the signed certificate.
Import the key.
admin certificate import type key input cf3:/
key_plain_rsa2048 output key1_rsa2048 format der
Import the signed certificate.
admin certificate import type cert input cf3:/
7750_cert.pem output 7750cert format pem
The following are steps to configure CA certificate/CRL import.
Import the CA certificate.
admin certificate import type cert input cf3:/
CA_1_cert.pem output ca_cert format pem
Import the CA’s CRL.
admin certificate import type crl input cf3:/
CA_1_crl.pem output ca_crl format pem
The following displays a certificate authentication for IKEv2 static LAN-to-LAN tunnel configuration.
config>system>security>pki# info
----------------------------------------------
ca-profile "alu-root" create
cert-file "alu_root.cert"
crl-file "alu_root.crl"
no shutdown
exit
----------------------------------------------
config>ipsec# info
----------------------------------------------
ike-policy 1 create
ike-version 2
auth-method cert-auth
ike-transform 1
exit
ipsec-transform 1 create
exit
ike-transform 1 create
exit
cert-profile "segw" create
entry 1 create
cert segw.cert
key segw.key
exit
no shutdown
exit
trust-anchor-profile "nokia" create
trust-anchor "nokia-root"
exit
config>service>vprn>if>sap
----------------------------------------------
ipsec-tunnel "t50" create
security-policy 1
local-gateway-
address 192.168.55.30 peer 192.168.33.100 delivery-service 300
dynamic-keying
ike-policy 1
transform 1
cert
trust-anchor-profile "nokia"
cert-profile "segw"
exit
exit
no shutdown
exit
The following displays an example of the syntax to import a certificate from the pem format.
*A:SR-7/Dut-A# admin certificate import type cert input cf3:/pre-import/R1-
0cert.pem output R1-0cert.der format pem
The following displays and example of the syntax to export a certificate to the pem format.
*A:SR-7/Dut-A# admin certificate export type cert input R1-0cert.der output cf3:/
R1-0cert.pem format pem