Configuring a pki domain – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

271

Step Command

Remarks

5.

Configure the FQDN for the

entity.

fqdn name-str

Optional.
No FQDN is specified by default.

6.

Configure the IP address for
the entity.

ip ip-address

Optional.
No IP address is specified by

default.

7.

Configure the locality for the
entity.

locality locality-name

Optional.
No locality is specified by default.

8.

Configure the organization

name for the entity.

organization org-name

Optional.
No organization is specified by
default.

9.

Configure the unit name for

the entity.

organization-unit org-unit-name

Optional.
No unit is specified by default.

10.

Configure the state or
province for the entity.

state state-name

Optional.
No state or province is specified by

default.

NOTE:
•

Up to two entities can be created on the access controller.

•

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
entity DN in a certificate request goes beyond this limit, the server does not respond to the certificate

request.

Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is only intended for convenient reference by
applications like IKE and SSL, and only has local significance. A PKI domain configured on a device is

invisible to the CA and other devices, and each PKI domain has its own parameters.
A PKI domain defines these parameters:

•

Trusted CA—An entity requests a certificate from a trusted CA.

•

Entity—A certificate applicant uses an entity to provide its identity information to a CA.

•

RA—Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, checks its qualification, and determines whether to ask the CA to

sign a digital certificate. The RA only checks the application qualification of an entity; it does not
issue any certificate. Sometimes, the registration management function is provided by the CA, in

which case no independent RA is required. It is a good practice to deploy an independent RA.

•

URL of the registration server—An entity sends a certificate request to the registration server
through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to

communicate with a CA. This URL is also called the certificate request URL.

•

Polling interval and count—After an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. You can configure the polling interval and count to query the request status.