Configuring X.509v3 certificate parameters

The following are steps to configure certificate enrollment:

  1. Generate a key.

    admin certificate gen-keypair cf3:/key_plain_rsa2048 size 2048 type rsa

  2. Generate a certificate request.

    admin certificate gen-local-cert-req keypair cf3:/key_plain_rsa2048 subject-
rdn "C=US,ST=CA,CN=7750" file 7750_req.cs

  3. Send the certificate request to CA-1 to sign and get the signed certificate.

  4. Import the key.

    admin certificate import type key input cf3:/
key_plain_rsa2048 output         key1_rsa2048 format der

  5. Import the signed certificate.

    admin certificate import type cert input cf3:/
7750_cert.pem output 7750cert         format pem

The following are steps to configure CA certificate/CRL import.

  1. Import the CA certificate.

    admin certificate import type cert input cf3:/
CA_1_cert.pem output ca_cert         format pem

  2. Import the CA’s CRL.

    admin certificate import type crl input cf3:/        
CA_1_crl.pem output ca_crl format         pem

The following displays a certificate authentication for IKEv2 static LAN-to-LAN tunnel configuration.

config>system>security>pki# info 
----------------------------------------------
                ca-profile "alu-root" create
                    cert-file "alu_root.cert"
                    crl-file "alu_root.crl"
                    no shutdown
                exit
----------------------------------------------
config>ipsec# info 
----------------------------------------------
        ike-policy 1 create
            ike-version 2
            auth-method cert-auth
            ike-transform 1
        exit
        ipsec-transform 1 create
        exit
        ike-transform 1 create
        exit
       cert-profile "segw" create
            entry 1 create
                cert segw.cert
                key segw.key
            exit                      
            no shutdown
        exit
        trust-anchor-profile "nokia" create
            trust-anchor "nokia-root"
        exit

config>service>vprn>if>sap
----------------------------------------------
                    ipsec-tunnel "t50" create
                        security-policy 1
                        local-gateway-
address 192.168.55.30 peer 192.168.33.100 delivery-service 300
                        dynamic-keying
                            ike-policy 1
                            transform 1
                            cert
                                trust-anchor-profile "nokia"
                                cert-profile "segw"
                            exit
                        exit
                        no shutdown
                    exit

The following displays an example of the syntax to import a certificate from the pem format.

*A:SR-7/Dut-A# admin certificate import type cert input cf3:/pre-import/R1-
0cert.pem output R1-0cert.der format pem

The following displays and example of the syntax to export a certificate to the pem format.

*A:SR-7/Dut-A#  admin certificate export type cert input R1-0cert.der output cf3:/
R1-0cert.pem format pem
Parent topic: Configuring IPsec with CLI