H3C Technologies H3C SecPath F1000-E User Manual

9

Item Description

Requesting URL

Type the URL of the RA.
The entity will submit the certificate request to the server at this URL through the SCEP

protocol. The SCEP protocol is intended for communication between an entity and an

authentication authority.
In offline mode, this item is optional; while in other modes, this item is required.

IMPORTANT:

z

In offline mode, this item is optional; while in other modes, this item is required.

z

Currently, this item does not support domain name resolution.

LDAP IP

Port

Version

Type the IP address, port number, and version number of the LDAP server.
Usually, an LDAP server is used to store store certificates and CRL information. In this

case, the LDAP server must be configured properly

Request Mode

Select the online certificate request mode, which can be Auto or Manual.

Password Encrypt

Password

When the certificate request mode is set to Auto, type a password for certificate
revocation and select the check box to display the password in cipher text.

Hash

Fingerprint

Specify the hash algorithm and fingerprint for verification of the CA root certificate.
Upon receiving the root certificate of the CA, an entity needs to verify the fingerprint of

the root certificate, namely, the hash value of the root certificate content. This hash value
is unique to every certificate. If the fingerprint of the root certificate does not match the

one configured for the PKI domain, the entity will reject the root certificate.

IMPORTANT:

The fingerprint of the CA root certificate is required when the certificate request mode
is Auto, and can be omitted when the certificate request mode is Manual. If it is
omitted, you need to verify the CA server by yourself.

Polling Count

Polling Interval

Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA may need a long period of time if it

verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. These two items dictate the polling operation.

Enable CRL
Checking

Select this box to specify that CRL checking is required during certificate verification.

CRL Update Period

Type the CRL update period, that is, the interval at which the PKI entity downloads the

latest CRLs.
This item is available when the Enable CRL Checking check box is selected.
By default, the CRL update period depends on the next update field in the CRL file.

IMPORTANT:

The manually configured CRL update period takes precedent over that specified in the
CRL file.

CRL URL

Type the URL of the CRL distribution point.
This item is available when the Enable CRL Checking check box is selected.
Note that when the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.

IMPORTANT:

Currently, this item does not support domain name resolution.