beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 381

background image

368

Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification

Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to
expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.

Recommended configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and an entity, where an entity is
the collection of the identity information of a user. A CA identifies a

certificate applicant by entity.

IMPORTANT:

The identity settings of an entity must be compliant to the CA certificate issue

policy. Otherwise, the certificate request might be rejected.

2. Creating a PKI domain

Required
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with
some enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance.

3. Generating an RSA key pair

Required
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The

key pair includes a public key and a private key. The private key is kept by
the user, and the public key is transferred to the CA along with some other

information.

IMPORTANT:

If a local certificate already exists, you must remove the certificate before

generating a new key pair, so as to keep the consistency between the key

pair and the local certificate.

4.

Retrieving the CA certificate

Required
Certificate retrieval serves the following purposes:

Locally store the certificates associated with the local security domain

for improved query efficiency and reduced query count,

Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA certificate

retrieval operation. This will avoid possible mismatch between certificates

and registration information resulting from relevant changes. To retrieve the
CA certificate, you need to remove the CA certificate and local certificate

first.

See also other documents in the category H3C Technologies Routers: