beautypg.com

Configuring a pki domain – H3C Technologies H3C SecPath F1000-E User Manual

Page 318

background image

306

To configure an entity DN:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an entity and enter its
view.

pki entity entity-name

No entity exists by default.

3.

Configure the common name

for the entity.

common-name name

Optional.
No common name is specified by default.

4.

Configure the country code
for the entity.

country country-code-str

Optional.
No country code is specified by default.

5.

Configure the FQDN for the
entity.

fqdn name-str

Optional.
No FQDN is specified by default.

6.

Configure the IP address for

the entity.

ip ip-address

Optional.
No IP address is specified by default.

7.

Configure the locality for the
entity.

locality locality-name

Optional.
No locality is specified by default.

8.

Configure the organization
name for the entity.

organization org-name

Optional.
No organization is specified by default.

9.

Configure the unit name for

the entity.

organization-unit
org-unit-name

Optional.
No unit is specified by default.

10.

Configure the state or
province for the entity.

state state-name

Optional.
No state or province is specified by default.

NOTE:

Up to two entities can be created on a device.

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
entity DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate
request.

Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance. The PKI domain configured on a device
is invisible to the CA and other devices, and each PKI domain has its own parameters.
A PKI domain is defined by these parameters:

Trusted CA—An entity requests a certificate from a trusted CA.

Entity—A certificate applicant uses an entity to provide its identity information to a CA.

RA—Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, checks its qualification, and determines whether to ask the CA

to sign a digital certificate. The RA only checks the application qualification of an entity; it does not

issue any certificate. Sometimes, the registration management function is provided by the CA, in
which case no independent RA is required. H3C recommends you to deploy an independent RA.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: