beautypg.com

Pki configuration examples at the cli, Network requirements, Configuring the ca server – H3C Technologies H3C SecPath F1000-E User Manual

Page 325: Configuring secpath

background image

313

PKI configuration examples at the CLI

CAUTION:

The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you
configure the PKI domain, use the certificate request from ra command to specify that the entity

requests a certificate from an RA.

The SCEP add-on is not required when RSA Keon is used. In this case, when you configure a PKI
domain, use the certificate request from ca command to specify that the entity requests a certificate
from a CA.

Requesting a certificate from a CA server running RSA Keon

Network requirements

As a PKI entity, SecPath submits a local certificate request to the CA server.

SecPath acquires the CRLs for certificate verification.

Figure 207 Network diagram

Configuring the CA server

1.

Create a CA server named myca:
In this example, you need to configure these basic attributes on the CA server at first:

{

Nickname—Name of the trusted CA.

{

Subject DN—DN information of the CA, including the Common Name (CN), Organization Unit

(OU), Organization (O), and Country (C).

Use the default settings for the other attributes.

2.

Configure extended attributes.
After configuring the basic attributes, perform configuration on the jurisdiction configuration page
of the CA server. Select the proper extension profiles, enable the SCEP autovetting function, and
add the IP address list for SCEP autovetting.

3.

Configure the CRL distribution behavior.
After completing the configuration, perform CRL related configurations. In this example, select the
local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.

After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that

the device can request certificates and retrieve CRLs properly.

Configuring SecPath

1.

Configure the entity DN:
# Configure the entity name as aaa and the common name as SecPath.