Table 41-4 – H3C Technologies H3C WX6000 Series Access Controllers User Manual

41-8

Table 41-4 PKI domain configuration items

Item

Description

Domain Name

Type the name for the PKI domain.

CA Identifier

Type the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.

In offline mode, this item is optional; while in other modes, this item is required.

Entity Name

Select the local PKI entity.

When submitting a certificate request to a CA, an entity needs to show its identity
information.

Available PKI entities are those that have been configured.

Institution

Select the authority for certificate request.

CA: Indicates that the entity requests a certificate from a CA.

RA: Indicates that the entity requests a certificate from an RA.

RA is recommended.

Requesting URL

Type the URL of the RA.

The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.

In offline mode, this item is optional; while in other modes, this item is required.

Currently, this item does not support domain name resolution.

LDAP IP

Port

Version

Type the IP address, port number and version of the LDAP server.

In a PKI system, the storage of certificates and CRLs is a crucial problem, which is
usually addressed by deploying an LDAP server.

Request Mode

Select the online certificate request mode, which can be auto or manual.

Password Encrypt

Select this check box to display the password in cipher text.

This check box is available only when the certificate request mode is set to Auto.

Password

Type the password for certificate revocation.

This item is available only when the certificate request mode is set to Auto.

Hash

Fingerprint

Specify the hash algorithm and fingerprint for verification of the CA root certificate.

Upon receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.

The fingerprint of the CA root certificate is required when the certificate request mode is
Auto, and can be omitted when the certificate request mode is Manual. When it is
omitted, no CA root certificate verification occurs automatically and you need to verify the
CA server by yourself.

Polling Count

Polling Interval

Set the polling interval and attempt limit for querying the certificate request status.

After an entity makes a certificate request, the CA may need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.

Enable CRL
Checking

Select this box to specify that CRL checking is required during certificate verification.