Pki configuration examples at the cli, Network requirements, Configuring the ca server – H3C Technologies H3C SecPath F1000-E User Manual

Page 325: Configuring secpath

313

PKI configuration examples at the CLI

CAUTION:
•

The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you
configure the PKI domain, use the certificate request from ra command to specify that the entity

requests a certificate from an RA.

•

The SCEP add-on is not required when RSA Keon is used. In this case, when you configure a PKI
domain, use the certificate request from ca command to specify that the entity requests a certificate
from a CA.

Requesting a certificate from a CA server running RSA Keon

Network requirements

•

As a PKI entity, SecPath submits a local certificate request to the CA server.

•

SecPath acquires the CRLs for certificate verification.

Figure 207 Network diagram

Configuring the CA server

Create a CA server named myca:
In this example, you need to configure these basic attributes on the CA server at first:

{

Nickname—Name of the trusted CA.

{

Subject DN—DN information of the CA, including the Common Name (CN), Organization Unit

(OU), Organization (O), and Country (C).

Use the default settings for the other attributes.

Configure extended attributes.
After configuring the basic attributes, perform configuration on the jurisdiction configuration page
of the CA server. Select the proper extension profiles, enable the SCEP autovetting function, and
add the IP address list for SCEP autovetting.

Configure the CRL distribution behavior.
After completing the configuration, perform CRL related configurations. In this example, select the
local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.

After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that

the device can request certificates and retrieve CRLs properly.

Configuring SecPath

Configure the entity DN:
# Configure the entity name as aaa and the common name as SecPath.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS