H3C Technologies H3C SecPath F1000-E User Manual

Page 290

278

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.

Recommended configuration procedure for manual request

Task Remarks

Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA

identifies a certificate applicant uniquely by entity DN.
The identity settings of an entity must be compliant to the CA certificate issue policy.

Otherwise, the certificate request may be rejected.

Creating a PKI
domain

Required
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.

Generating an RSA
key pair

Required
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is kept by the user, and the

public key is transferred to the CA along with some other information.
In FIPS mode, an RSA key pair can only be 2048 bits.

IMPORTANT:

If a local certificate already exists, remove the certificate before generating a new key pair

to keep the consistency between the key pair and the local certificate.

Retrieving the CA
certificate

Required
Obtain the CA certificate and save it locally. For more information, see "

Retrieving and

displaying a certificate

Certificate retrieval serves the following purposes:

•

Locally store the certificates associated with the local security domain for improved

query efficiency and reduced query count,

•

Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA certificate retrieval

operation. This is to avoid possible mismatch between certificates and registration

information resulting from relevant changes. To retrieve the CA certificate, you need to

remove the CA certificate and local certificate first.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS