beautypg.com

Generating an rsa key pair, Generating an rsa key, Pair – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 622

background image

601

Item Description

Fingerprint Hash
Fingerprint

Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of

the root certificate, namely, the hash value of the root certificate content. This hash
value is unique to every certificate. If the fingerprint of the root certificate does not

match the one configured for the PKI domain, the entity will reject the root certificate.

If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint

must a string of 32 characters in hexadecimal notation.

If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The

fingerprint must a string of 40 characters in hexadecimal notation.

If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will

not verify the CA root certificate, and you yourself must make sure that the CA

server is trusted.

IMPORTANT:

The fingerprint must be configured if you specify the certificate request mode as Auto. If

you specify the certificate request mode as Manual, you can leave the fingerprint settings

null. If you do not configure the fingerprint, the entity will not verify the CA root certificate

and you yourself must make sure that the CA server is trusted.

Polling Count
Polling Interval

Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if
it verifies the certificate request in manual mode. During this period, the applicant

needs to query the status of the request periodically to get the certificate as soon as
possible after the certificate is signed.

Enable CRL Checking Select this option to enable CRL checking for certificate verification.

CRL Update Period

Enter the interval at which the PKI entity downloads the latest CRLs for CRL checking.
By default, the CRL update period depends on the next update field in the CRL file.

CRL URL

Enter the URL of the CRL distribution point by an IP address or domain name for CRL
checking.
When the URL of the CRL distribution point is not set, first obtain the CA certificate and

a local certificate, and then obtain a CRL through SCEP.

Generating an RSA key pair

1.

From the navigation tree, select Authentication > Certificate Management.

2.

Click the Certificate tab.