beautypg.com

H3C Technologies H3C MSR 50 User Manual

Page 486

background image

101

Recommended configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
entity, where the distinguished name (DN) shows the identity information of

the entity. A CA identifies a certificate applicant uniquely by an entity DN.
The DN settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected. You must know

the policy to determine which entity parameters are mandatory or optional.

2. Creating a PKI domain

Required.
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with
some enrollment information, which is called a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.

3. Generating an RSA key

pair

Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The
key pair includes a public key and a private key. The private key is kept by

the user, and the public key is transferred to the CA along with some other
information.

IMPORTANT:

If a local certificate already exists, you must remove the certificate before

generating a new key pair, so as to keep the consistency between the key pair

and the local certificate.

4.

Retrieving the CA

certificate

Required.
Certificate retrieval serves the following purposes:

Locally store the certificates associated with the local security domain for

improved query efficiency and reduced query count,

Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA certificate
retrieval operation. This restriction avoids possible mismatch between

certificates and registration information resulting from relevant changes. To

retrieve the CA certificate, you must remove the CA certificate and local
certificate first.

This manual is related to the following products: