Certificate Technology on Junos Pulse Secure Access technology on IVE how-to document . Introduction: A device certificate helps to secure network traffic to and from a Junos Pulse

  • View
    219

  • Download
    3

Embed Size (px)

Text of Certificate Technology on Junos Pulse Secure Access technology on IVE how-to document ....

  • Certificate technology on Junos Pulse Secure Access

    How-to

    Introduction: ........................................................................................................................................ 1 Creating a Certificate signing request (CSR): ................................................................................... 1 Import Intermediate CAs: 3 Using Trusted Client CA on Juno Pulse Secure Access device: .................................................... 5 Import Trusted Client CA Certificates ............................................................................................... 5 Configuring Options for Trusted Client CA Certificates: ................................................................. 6 Configure Certificate Server . 8 Configure Certificate Restrictions .... 9 Using Trusted Server CAs................................................................................................................. 10 Uploading Trusted Server CA Certificates ... 11 Using Code-signing Certificates....................................................................................................... 12 Importing a Code-Signing CA Certificate ...12 Certificates Troubleshooting tips: ................................................................................................... 14

    Juniper Networks, Inc.

  • Certificate technology on IVE how-to document

    Introduction: A device certificate helps to secure network traffic to and from a Junos Pulse Secure Access using a combination of X.509 certificates and symmetric key encryption. When you initialize a Junos Pulse Secure Access device, a temporary self-signed certificate will be created locally that enables users to immediately begin using the device. Please note, encryption with the self-signed certificate is perfectly safe, but users will be prompted with a security alert each time they sign in to the device because the certificate is not issued by a trusted certificate authority (CA). For production purposes, we recommend to obtain a digital certificate from a public certificate authority (like VeriSign, Thawte, etc.). Signed device certificate can be added to Junos Pulse Secure Access device by creating a certificate signing request (CSR) through the administrator web interface, then send the request to a CA for processing. When a CSR is created through the admin web interface, a private key is created locally that corresponds to the CSR. If the CSR is deleted, the private key will be deleted as well, and prohibit installation of the signed certificate that matches the CSR. Creating a Certificate signing request (CSR):

    1. In the administrator web interface, navigate to System > Configuration > Certificates > Device Certificates.

    2. Click New CSR. 3. Enter the required information (CN and Organization are required fields) and click Create CSR. The

    Certificate Signing Request page appears with encoded text.

    Juniper Networks, Inc. 1

  • Certificate technology on IVE how-to document

    4. Submitting the CSR to a Certificate Authority (CA) for signing. You need to copy the encoded text below

    -----BEGIN CERTIFICATE REQUEST-----

    (Certificate hash)

    -----END CERTIFICATE REQUEST-----

    Ensure to copy the begin and end lines and submit it to your certificate authority in one of the following ways:

    Save the text as a .cert file and attach it to an email message to the CA. Paste the text into an email message to the CA Paste the text into a Web form provided by the CA

    Note: When submitting a certificate signing request (CSR) to a CA authority, you may be asked to specify the type of Web server. Select apache_modssl (if more than one option with apache_modssl is available, choose any). Also, if prompted for the certificate format to download, select X.509 or Base-64 format.

    5. When you receive the signed certificate from the CA, perform the following steps below:

    a. In the administrator Console, navigate to System > Configuration > Certificates > Device Certificates b. Click Pending Certificate Signing Request link.

    c. Browse to the certificate file you received from the CA (cert.cer) and click Import

    Juniper Networks, Inc. 2

  • Certificate technology on IVE how-to document

    Import Intermediate CAs: If the certificate is issued from an intermediate certificate, you will need to import the intermediate CAs under Intermediate Devices CAs. Within a certificate hierarchy, one or more intermediate certificates may be issued from a single root certificate. The root certificate is issued by a root certificate authority (CA) and is self-signed. Each intermediate certificates is issued by the certificate above it in the chain.

    1. In the administrator web interface, navigate to System > Configuration > Certificates > Device Certificates.

    2. Click Intermediate Device CAs.

    3. Click Import CA Certificate

    Juniper Networks, Inc. 3

  • Certificate technology on IVE how-to document

    4. Click Choose File 5. Browse to the Intermediate CA file 6. Click Import Certificate

    Note: Ensure certificates are added starting from the top-down (Root > Intermediate). Check for certificate validity and replace any expired certificates

    Juniper Networks, Inc. 4

  • Certificate technology on IVE how-to document

    Using Trusted Client CA on Juno Pulse Secure Access device: Junos Pulse Secure Access device supports X.509 CA certificates in DER and PEM encoded formats. A trusted client CA is a certificate authority (CA) trusted by the Junos Pulse Secure Access device for client authentication. After added to the Trust Client CA list, Junos Pulse Secure Access gateway will trust any certificate issued by the CA. To use client CA certificates, you must install and enable the proper root CA certificates. Additionally, you must install a client certificate in the web browsers of your end-users machine or use MMC Certificates snap-in for computer accounts (machine certificate). When validating a client-side CA certificate, Junos Pulse Secure Access device validates the certificate is a valid (not expired) and signed by a certificate authority in the Trusted Client CA list. Junos Pulse Secure Access device will validate all certificates in hierarchy until it reaches the root CA, checking the validity of each issuer as it goes up the CA chain order.

    Import Trusted Client CA Certificates:

    1. Navigate to Configuration > Certificates > Trusted client CAs 2. Click Import CA Certificate

    3. Click Choose File. Select top-level root certificate 4. Click Import Certificate

    Note: Perform step 3 and 4 for each intermediate certificate in the hierarchy. The above example was imported in the following order, IB/A > AC access > AC radio\E4\log > AC netaccess logic.

    Juniper Networks, Inc. 5

  • Certificate technology on IVE how-to document

    Configuring Options for Trusted Client CA Certificates: CRL (Certificate Revocation List) - A certificate revocation list (CRL) is a mechanism for cancelling a client-side certificate. As the name implies, a CRL is a list of revoked certificates published by a CA or delegated CRL issuer. The system supports base CRLs, which include all of the companys revoked certificates in a single, unified list.

    To configure CRL client certificate status checking, perform the following steps:

    1. From the Trusted Client CA list, click on the CA certificate which signs the end user certificates. 2. Under client certificate status checking, select the radio button Use CRLs (Certificate Revocation Lists). 3. Click Save Changes 4. Under CRL Settings, select CRL Checking Options. 5. From the Use drop-down, select CDP(s) specified in client certificates 6. Click Save Changes

    In rare instances, the CDP may not be given in the client certificates. In this scenario, change from CDP(s) specified in client certificates to Manually configured CDP. For CDP information, please reach out to your certificate authority administrator to confirm the CDP URL and LDAP credentials (if LDAP is utilized) Note: The above example is only to perform CRL checking for client certificates. In rare situation, if CRL checking is required for each CA in the hierarchy, you will need to configure CRL check for each CA and select CDP(s) specified in the Trusted Client CA.

    Juniper Networks, Inc. 6

  • Certificate technology on IVE how-to document

    OCSP (Online Certificate Status Protocol) - The Online Certification Status Protocol (OCSP) is a service that enables you to verify client certificates. When OCSP is enabled, the system becomes a client of an OCSP responder and forwards validation requests for users based on client certificate. The OCSP responder maintains a store of CA-published certificate revocation lists (CRLs) and maintains an up-to-date list of valid and invalid certificates. After the OCSP responder receives a validation request, it validates the status of the certificate using its own authentication database, or it calls upon the OCSP responder that originally issued the certificate to validate the request. After formulating a response, the OCSP responder returns the signed response, and the original certificate is either approved or rejected. Comparison to CRLs vs OCSP:

    Using OCSP, clients do not need to parse CRLs themselves. OCSP provide real-time response while CRL data are periodically updated under a given interval determined

    by the CA To configure OCSP client certificate status checking, perform the following steps:

    1. From the Trusted Client CA list, c