H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 286

272

•

IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.

If this is the case, you must configure the IP address of the LDAP server.

•

Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate—the hash value of the root certificate content.

This hash value is unique to every certificate. If the fingerprint of the root certificate does not match

the one configured for the PKI domain, the entity rejects the root certificate.

To configure a PKI domain:

Step Command

Remarks

Enter system view.

system-view

N/A

Create a PKI domain and

enter its view.

pki domain domain-name

No PKI domain exists by default.

Specify the trusted CA.

ca identifier name

No trusted CA is specified by
default.

Specify the entity for
certificate request.

certificate request entity
entity-name

No entity is specified by default.
The specified entity must exist.

Specify the authority for

certificate request.

certificate request from { ca | ra }

No authority is specified by
default.

Configure the URL for

certificate request.

certificate request url url-string

No certificate request URL is
configured by default.

Configure the polling interval
and attempt limit for querying

the certificate request status.

certificate request polling { count
count | interval minutes }

Optional.
The polling is executed for up to 50
times at the interval of 20 minutes

by default.

Specify the LDAP server.

ldap-server ip ip-address [ port
port-number ] [ version
version-number ]

Optional.
No LDP server is specified by
default.

Configure the fingerprint for

root certificate verification.

root-certificate fingerprint { md5 |
sha1 } string

Required when the certificate
request mode is auto and optional

when the certificate request mode
is manual. In the latter case, if you

do not configure this command, the

fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.

NOTE:
•

Up to two PKI domains can be created on the access controller.

•

The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate
request.

•

The certificate request URL does not support domain name resolution.

This manual is related to the following products:

H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000