H3C Technologies H3C SecPath F1000-E User Manual

307

•

URL of the registration server—An entity sends a certificate request to the registration server

through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to
communicate with a CA.

•

Polling interval and count—After an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant

needs to query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. You can configure the polling interval and count to query the request status.

•

IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.

If this is the case, you need to configure the IP address of the LDAP server.

•

Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate

content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not

match the one configured for the PKI domain, the entity will reject the root certificate.

To configure a PKI domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a PKI domain and
enter its view.

pki domain domain-name

No PKI domain exists by default.

3.

Specify the trusted CA.

ca identifier name

No trusted CA is specified by default.

4.

Specify the entity for

certificate request.

certificate request entity
entity-name

No entity is specified by default.
The specified entity must exist.

5.

Specify the authority for
certificate request.

certificate request from { ca
| ra }

No authority is specified by default.

6.

Configure the URL of the

server for certificate request.

certificate request url
url-string

No URL is configured by default.

7.

Configure the polling interval
and attempt limit for querying

the certificate request status.

certificate request polling
{ count count | interval
minutes }

Optional.
The polling is executed for up to 50 times
at the interval of 20 minutes by default.

8.

Specify the LDAP server.

ldap-server ip ip-address
[ port port-number ]

[ version version-number ]

Optional.
No LDP server is specified by default.

9.

Configure the fingerprint for

root certificate verification.

root-certificate fingerprint
{ md5 | sha1 } string

Required when the certificate request
mode is auto and optional when the
certificate request mode is manual. In the

latter case, if you do not configure this

command, the fingerprint of the root
certificate must be verified manually.
No fingerprint is configured by default.

NOTE:
•

Up to two PKI domains can be created on a device.

•

The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate
request.

•

The URL of the server for certificate request does not support domain name resolution.