Network requirements, Configuring the ca server, Configuring secpath – H3C Technologies H3C SecPath F1000-E User Manual

294

Certificate request from an RSA Keon CA server configuration
example

Network requirements

As shown in

Figure 191

, configure SecPath working as the PKI entity, so that:

•

SecPath submits a local certificate request to the CA server, which runs the RSA Keon software.

•

SecPath acquires CRLs for certificate verification.

Figure 191 Network diagram

Configuring the CA server

1.

Create a CA server named myca.
In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of

the CA, including the common name (CN), organization unit (OU), organization (O), and country

(C). Leave the default values of the other attributes.

2.

Configure extended attributes.
After configuring the basic attributes, configure the parameters on the Jurisdiction Configuration

page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.

3.

Configure the CRL publishing behavior.
After completing the configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.

After the configuration, make sure the system clock of the firewall is synchronous to that of the CA, so that

the firewall can request the certificate and retrieve the CRLs properly.

Configuring SecPath

1.

Create a PKI entity:

a.

From the navigation tree, select VPN > Certificate Management > Entity.

b.

Click Add.

c.

Enter aaa as the PKI entity name, enter device as the common name, and click Apply.