beautypg.com

Displaying and maintaining pki, Pki configuration examples, Certificate request from an rsa keon ca server – H3C Technologies H3C S6300 Series Switches User Manual

Page 212: Network requirements, Configuring the ca server

background image

197

Displaying and maintaining PKI

Execute display commands in any view.

Task Command

Display the contents of a certificate.

display pki certificate domain domain-name { ca | local | peer
[ serial serial-num ] }

Display certificate request status.

display pki certificate request-status [ domain domain-name ]

Display locally stored CRLs.

display pki crl domain domain-name

Display certificate attribute group
information.

display pki certificate attribute-group [ group-name ]

Display certificate access control policy
information.

display pki certificate access-control-policy [ policy-name ]

PKI configuration examples

You can use different software applications, such as Windows server, RSA Keon, and OpenCA, to act as

the CA server.
If you use Windows server or OpenCA, install the SCEP add-on for Windows server or enable SCEP for

OpenCA. In either case, when you configure a PKI domain, you must use the certificate request from ra
command to specify the RA to accept certificate requests for PKI entity enrollment to an RA.
If you use RSA Keon, the SCEP add-on is not required. When you configure a PKI domain, you must use

the certificate request from ca command to specify the CA to accept certificate requests for PKI entity

enrollment to a CA.

Certificate request from an RSA Keon CA server

Network requirements

Configure the PKI entity (the device) to request a local certificate from the CA server.

Figure 70 Network diagram

Configuring the CA server

1.

Create a CA server named myca:
In this example, you must configure these basic attributes on the CA server:

{

Nickname—Name of the trusted CA.

{

Subject DN—DN attributes of the CA, including the common name (CN), organization unit
(OU), organization (O), and country (C).