H3C Technologies H3C WX6000 Series Access Controllers User Manual

68-6

A PKI domain is defined by these parameters:

z

Trusted CA

An entity requests a certificate from a trusted CA.

z

Entity

A certificate applicant uses an entity to provide its identity information to a CA.

z

RA

Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, checks its qualification, and determines whether to ask the CA to
sign a digital certificate. The RA only checks the application qualification of an entity; it does not issue
any certificate. Sometimes, the registration management function is provided by the CA, in which case
no independent RA is required. You are recommended to deploy an independent RA.

z

URL of the enrollment server

An entity sends a certificate request to the enrollment server through Simple Certification Enrollment
Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA.

z

Polling interval and count

After an applicant makes a certificate request, the CA may need a long period of time if it verifies the
certificate request manually. During this period, the applicant needs to query the status of the request
periodically to get the certificate as soon as possible after the certificate is signed. You can configure the
polling interval and count to query the request status.

z

IP address of the LDAP server

An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need to
configure the IP address of the LDAP server.

z

Fingerprint for root certificate validation

Upon receiving the root certificate of the CA, an entity needs to validate the fingerprint of the root
certificate, namely, the hash value of the root certificate content. This hash value is unique to every
certificate. The entity will reject the root certificate if the fingerprint of the root certificate does not match
the one configured for the PKI domain.

Follow these steps to configure a PKI domain:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create a PKI domain and
enter its view

pki domain domain-name

Required
No PKI domain exists by default.

Specify the trusted CA

ca

identifier name

Required
No trusted CA is specified by default.

Specify the entity for
certificate request

certificate request entity

entity-name

Required
No entity is specified by default.
The specified entity must exist.

Specify the authority for
certificate request

certificate request from

{ ca | ra }

Required
No authority is specified by default.

Configure the URL of the
server for certificate request

certificate request url url-string

Required
No URL is configured by default.