H3C Technologies H3C SecPath F1000-E User Manual

321

[SecPathA] public-key local create rsa

# Request a certificate.

[SecPathA] pki retrieval-certificate ca domain 1

[SecPathA] pki retrieval-crl domain 1

[SecPathA] pki request-certificate domain 1

# Configure IKE proposal 1, using RSA signature for identity authentication.

[SecPathA] ike proposal 1

[SecPathA-ike-proposal-1] authentication-method rsa-signature

[SecPathA-ike-proposal-1] quit

# Specify the PKI domain for the IKE peer.

[SecPathA] ike peer peer

[SecPathA-ike-peer-peer] certificate domain 1

2.

Configure SecPath B:
# Configure the entity DN.

system-view

[SecPathB] pki entity en

[SecPathB-pki-entity-en] ip 3.3.3.1

[SecPathB-pki-entity-en] common-name SecPathb

[SecPathB-pki-entity-en] quit

# Configure the PKI domain. The URL of the registration server varies with the CA server.

[SecPathB] pki domain 1

[SecPathB-pki-domain-1] ca identifier CA2

[SecPathB-pki-domain-1] certificate request url

http://2.1.1.100/certsrv/mscep/mscep.dll

[SecPathB-pki-domain-1] certificate request entity en

[SecPathB-pki-domain-1] ldap-server ip 2.1.1.102

# Set the registration authority to RA.

[SecPathB-pki-domain-1] certificate request from ra

# Configure the CRL distribution URL. This is not necessary if CRL checking is disabled.

[SecPathB-pki-domain-1] crl url ldap://2.1.1.102

[SecPathB-pki-domain-1] quit

# Create a local key pair using RSA.

[SecPathB] public-key local create rsa

# Request a certificate.

[SecPathB] pki retrieval-certificate ca domain 1

[SecPathB] pki retrieval-crl domain 1

[SecPathB] pki request-certificate domain 1

# Configure IKE proposal 1, using RSA signature for identity authentication.

[SecPathB] ike proposal 1

[SecPathB-ike-proposal-1] authentication-method rsa-signature

[SecPathB-ike-proposal-1] quit

# Specify the PKI domain for the IKE peer.

[SecPathB] ike peer peer

[SecPathB-ike-peer-peer] certificate domain 1