beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 286

background image

272

IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.

If this is the case, you must configure the IP address of the LDAP server.

Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate—the hash value of the root certificate content.

This hash value is unique to every certificate. If the fingerprint of the root certificate does not match

the one configured for the PKI domain, the entity rejects the root certificate.

To configure a PKI domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a PKI domain and

enter its view.

pki domain domain-name

No PKI domain exists by default.

3.

Specify the trusted CA.

ca identifier name

No trusted CA is specified by
default.

4.

Specify the entity for
certificate request.

certificate request entity
entity-name

No entity is specified by default.
The specified entity must exist.

5.

Specify the authority for

certificate request.

certificate request from { ca | ra }

No authority is specified by
default.

6.

Configure the URL for

certificate request.

certificate request url url-string

No certificate request URL is
configured by default.

7.

Configure the polling interval
and attempt limit for querying

the certificate request status.

certificate request polling { count
count | interval minutes }

Optional.
The polling is executed for up to 50
times at the interval of 20 minutes

by default.

8.

Specify the LDAP server.

ldap-server ip ip-address [ port
port-number ] [ version
version-number ]

Optional.
No LDP server is specified by
default.

9.

Configure the fingerprint for

root certificate verification.

root-certificate fingerprint { md5 |
sha1 } string

Required when the certificate
request mode is auto and optional

when the certificate request mode
is manual. In the latter case, if you

do not configure this command, the

fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.

NOTE:

Up to two PKI domains can be created on the access controller.

The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate
request.

The certificate request URL does not support domain name resolution.