H3C Technologies H3C SecPath F1000-E User Manual
Page 290
278
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Recommended configuration procedure for manual request
Task Remarks
Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA
identifies a certificate applicant uniquely by entity DN.
The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request may be rejected.
Required
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.
Required
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is kept by the user, and the
public key is transferred to the CA along with some other information.
In FIPS mode, an RSA key pair can only be 2048 bits.
IMPORTANT:
If a local certificate already exists, remove the certificate before generating a new key pair
to keep the consistency between the key pair and the local certificate.
Retrieving the CA
certificate
Required
Obtain the CA certificate and save it locally. For more information, see "
Certificate retrieval serves the following purposes:
•
Locally store the certificates associated with the local security domain for improved
query efficiency and reduced query count,
•
Prepare for certificate verification.
IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate retrieval
operation. This is to avoid possible mismatch between certificates and registration
information resulting from relevant changes. To retrieve the CA certificate, you need to
remove the CA certificate and local certificate first.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS