How do I configure and manage PKI site security on an NE?

Purpose

Perform this procedure to create the required DSA or RSA keypair and CA request on an NE to enable PKI security between peers, and to manage keys, certificates, and CRLs.

PKI encryption is required for functions such as IPsec, which use X.509 certificate-based authentication. The following devices support PKI encryption:

  • 7450 ESS

  • 7705 SAR

  • 7750 SR MG

  • 7750 SR

  • 7750 SR

  • 7705 SAR-Hm

  • 7250 IXR

Note: The displayed parameters vary depending on the NE type, release, and the settings of other parameters.

Steps
 

Choose Administration→Security→NE PKI Authentication→Site Public Key Infrastructure from the NFM-P main menu. The Select Site form opens.

Choose a managed NE and click OK. The Site Security Public Key Infrastructure (Edit) form opens.

Configure the required parameters.

Click Apply to save the changes.

Perform the following steps to generate a PKI keypair that is stored in a file on an NE compact flash drive.

  1. Choose Admin Certificate→Generate Keypair from the More Actions button menu. The Admin Certificate Generate Keypair form opens.

  2. Configure the required parameters.

  3. Click Execute. The keypair is generated and stored.

  4. Close the form.

Perform the following steps to generate local PKCS#10 certificate request on a local compact flash drive.

  1. Choose Admin Certificate→Generate Local Certificate Request from the More Actions button menu. The Admin Certificate Generate Local Certificate Request form opens.

  2. Configure the required parameters.

  3. Click Execute. The local request is generated.

  4. Close the form.

If you want the certificate signed by a CA, FTP the request file to the CA and use the CA-signed certificate in the following steps.

Perform the following steps to convert the certificate file to the required format for the NE.

  1. Choose Admin Certificate→Import File from the More Actions button menu. The Admin Certificate Import File form opens.

  2. Configure the required parameters.

  3. Click Execute. The file is imported.

  4. Close the form.

To convert a certificate, keypair, or CRL file on the NE to another format, perform the following steps.

  1. Choose Admin Certificate→Export File from the More Actions button menu. The Admin Certificate Export File form opens.

  2. Configure the required parameters.

  3. Click Execute. The file is exported.

  4. Close the form.

10 

To display the content of a certificate, keypair, or CRL file in plain text, perform the following steps.

  1. Choose Admin Certificate→Display File from the More Actions button menu. The Admin Certificate Display File form opens.

  2. Configure the required parameters.

    Note: If you are displaying key file content, only the Key Size and Key Type are displayed.

    Note: You must configure the Password parameter if the file uses PKCS#12 encryption.

  3. Click Execute. The file content is displayed.

  4. Close the form.

11 

To reload a certificate or keypair file from a local compact flash drive, perform the following steps.

  1. Choose Admin Certificate→Reload File from the More Actions button menu. The Admin Certificate Reload File form opens.

  2. Configure the required parameters.

  3. Click Execute. The file content is reloaded.

  4. Close the form.

12 

To clear the OCSP cache, perform the following steps.

  1. Choose Admin Certificate→Clear OCSP Cache from the More Actions button menu. The Admin Certificate Clear OCSP Cache form opens.

  2. Configure the required parameters.

  3. Click Execute. The file content is reloaded.

  4. Close the form.

13 

To import a Secure ND RSA keypair, perform the following steps.

  1. Choose Admin Certificate→Secure ND Import from the More Actions button menu. The Admin Certificate Secure ND Import form opens.

  2. Configure the required parameters.

  3. Click Execute. The keypair is imported.

  4. Close the form.

14 

To export the Secure ND RSA keypair, perform the following steps.

  1. Choose Admin Certificate→Secure ND Export from the More Actions button menu. The Admin Certificate Secure ND Export form opens.

  2. Click Execute. The keypair is exported.

  3. Close the form.

15 

To perform CMP2 actions, see How do I perform CMPv2 actions? .

16 

To enroll EST profile, perform the following steps.

  1. Choose Admin Certificate→Enroll EST Profile from the More Actions button menu. The Admin Certificate Enroll EST Profile form opens.

  2. Configure the required parameters.

  3. Click Execute. The file content is enrolled.

  4. Close the form.

17 

To EST distribute CA Certificate, perform the following steps.

  1. Choose Admin Certificate→EST Distribute CA Certificate from the More Actions button menu. The Admin Certificate EST Distribute CA Certificate form opens.

  2. Configure the required parameters.

  3. Click Execute. The file content is distributed.

  4. Close the form.

18 

To renew EST profile, perform the following steps.

  1. Choose Admin Certificate→Renew EST Profile from the More Actions button menu. The Admin Certificate Renew EST Profile form opens.

  2. Configure the required parameters.

  3. Click Execute. The file content is renewed.

  4. Close the form.

19 

Close the Site Security Public Key Infrastructure (Edit) form.

End of steps