beautypg.com

Configuring a pki domain, Required.) – H3C Technologies H3C S6300 Series Switches User Manual

Page 202

background image

187

Step Command

Remarks

7.

Set the unit of the entity in
the organization.

organization-unit org-unit-name

By default, the unit is not set.

8.

Set the state where the entity
resides.

state state-name

By default, the state is not set.

9.

Set the FQDN of the entity. fqdn fqdn-name-string

By default, the FQDN is not set.

10.

Configure the IP address of

the entity.

ip { ip-address | interface
interface-type
interface-number }

By default, the IP address is not
configured.

Configuring a PKI domain

A PKI domain contains enrollment information for a PKI entity. It is locally significant and is intended only

for reference by other applications like IKE and SSL.
The fingerprint of a CA root certificate is the hash value of the root certificate content. Each CA root
certificate has a unique hash value. You can specify the fingerprint used for verifying the root certificate

in the PKI domain.
After receiving a CA root certificate that does not exist locally, the PKI entity verifies the fingerprint of the

root certificate in the following cases:

For an obtained or imported CA root certificate, if its fingerprint does not match the one configured
for the PKI domain, the device rejects the root certificate, and the obtain or import operation fails.

If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint

manually.

For a CA root certificate obtained through an automatic local certificate request process that IKE
triggers, if its fingerprint does not match the one configured for the PKI domain, the device rejects

the root certificate, and the local certificate request fails. If you do not specify the fingerprint for the
PKI domain, the local certificate request fails.

To configure a PKI domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a PKI domain
and enter its view.

pki domain domain-name

By default, no PKI domains exist.

3.

Specify the trusted CA. ca identifier name

By default, no trusted CA is
specified.
To obtain a CA certificate, the
trusted CA name must be provided.
The trusted CA name is in SCEP

messages, and the CA server does

not use this name unless the server
has two CAs configured with the

same registration server.

4.

Specify the entity for
certificate request.

certificate request entity entity-name

By default, no entity is specified.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: