Configuring a pki domain – H3C Technologies H3C S3600 Series Switches User Manual

1-6

Configuring a PKI Domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by

other applications like SSL, and has only local significance.

A PKI domain is defined by these parameters:

z

Trusted CA

An entity requests a certificate from a trusted CA.

z

Entity

A certificate applicant uses an entity to provide its identity information to a CA.

z

RA

Generally, an independent RA is in charge of certificate request management. It receives the

registration request from an entity, checks its qualification, and determines whether to ask the CA to

sign a digital certificate. The RA only checks the application qualification of an entity; it does not issue

any certificate. Sometimes, the registration management function is provided by the CA, in which case

no independent RA is required. You are recommended to deploy an independent RA.

z

URL of the registration server

An entity sends a certificate request to the registration server through Simple Certification Enrollment

Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA.

z

Polling interval and count

After an applicant makes a certificate request, the CA may need a long period of time if it verifies the

certificate request manually. During this period, the applicant needs to query the status of the request

periodically to get the certificate as soon as possible after the certificate is signed. You can configure the

polling interval and count to query the request status.

z

IP address of the LDAP server

An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need to

configure the IP address of the LDAP server.

z

Fingerprint for root certificate verification

Upon receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root

certificate, namely, the hash value of the root certificate content. This hash value is unique to every

certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain,

the entity will reject the root certificate.

Follow these steps to configure a PKI domain:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create a PKI domain and enter
its view

pki domain domain-name

Required

No PKI domain exists by
default.

Specify the trusted CA

ca identifier name

Required

No trusted CA is specified by
default.