beautypg.com

Configuration procedures, Configuration procedure for manual request – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 616

background image

595

The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case, you

need to specify CA as the authority for certificate request when you configure the PKI domain.

Configuration procedures

The system supports the following PKI certificate request modes:

Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.

Auto—In auto mode, an entity automatically requests a certificate through the Simple Certification
Enrollment Protocol (SCEP) when it has no local certificate or the existing certificate is about to

expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.

Configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
entity, where the identity information is identified by an entity distinguished

name (DN). A CA uniquely identifies a certificate applicant by entity DN.
The parameter settings of an entity DN, optional or required, must be
compliant to the CA certificate issue policy. Otherwise, the certificate request

might be rejected.

2. Creating a PKI domain

Required.
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.

3. Generating an RSA key

pair

Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key
pair includes a public key and a private key. The private key is kept by the

user, and the public key is transferred to the CA along with some other
information.

IMPORTANT:

If a local certificate already exists, you must remove the certificate before

generating a new key pair, so as to keep the consistency between the key pair

and the local certificate.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: