beautypg.com

Configuring pki, Configuration task list, Requesting a certificate manually – H3C Technologies H3C SecPath F1000-E User Manual

Page 778

background image

4

Configuring PKI

Configuration Task List

There are two PKI certificate request modes:

Manual: In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.

Auto: In auto mode, an entity automatically requests a certificate through Simple Certification
Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it

has no local certificate or the present certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations:

Requesting a certificate manually

Perform the tasks in

Table 1

to request a certificate manually.

Table 1 Configuration task list for requesting a certificate manually

Task Remarks

Creating a PKI Entity

Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA

identifies a certificate applicant uniquely by entity DN.
The identity settings of an entity must be compliant to the CA certificate issue policy.

Otherwise, the certificate request may be rejected.

Creating a PKI
Domain

Required
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.

Generating an RSA
Key Pair

Required
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The key pair

includes a public key and a private key. The private key is kept by the user, while the

public key is transferred to the CA along with some other information.

IMPORTANT:

If there is already a local certificate, you need to remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair and
the local certificate.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: