Configuring secpath – H3C Technologies H3C SecPath F1000-E User Manual

289

b.

Select Add/Remove Windows Components.

c.

Select Certificate Services in the pop-up dialog box.

d.

Click Next to begin the installation.

2.

Install the SCEP add-on:
Because a CA server running Windows 2003 server operating system does not support SCEP by
default, you must install the SCEP add-on to provide the firewall with automatic certificate

registration and retrieval. After the add-on is installed, a prompt dialog box appears, displaying
the URL of the registration server configured on the firewall.

3.

Modify the certificate service properties:

a.

Select Control Panel > Administrative Tools > Certificate Authority from the start menu.

b.

If the CA server and SCEP add-on have been installed successfully, there should be two

certificates issued by the CA to the RA.

c.

Right-click CA server and select Properties from the shortcut menu.

d.

Click the Policy Module tab in the CA server Properties dialog box.

e.

Click Follow the settings in the certificate template, if applicable. Otherwise, automatically

issue the certificate.

f.

Click OK.

4.

Modify the IIS attributes:

a.

Select Control Panel > Administrative Tools > Internet Information Services (IIS) Manager from
the start menu.

b.

From the navigation tree, select Web Sites.

c.

Right-click Default Web Site and select Properties.

d.

Click the Home Directory tab.

e.

Specify the path for certificate service in the Local path field.

f.

Change the TCP port number to an unused one on the Web Site tab to avoid conflicts with
existing services.

After the configuration, make sure the system clock of the firewall and that of the CA are synchronized,
so that the firewall can request the certificate correctly.

Configuring SecPath

1.

Create a PKI entity:

a.

From the navigation tree, select VPN > Certificate Management > Entity.

b.

Click Add.

c.

Enter aaa as the PKI entity name, enter device as the common name, and click Apply.