Network requirements, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual
Page 795
21
Configuring a PKI Entity to Request a Certificate from a CA
(Method II)
Network requirements
As shown in
, configure the device working as the PKI entity, so that:
•
The device submits a local certificate request to the CA server, which runs the RSA Keon software.
•
The device acquires CRLs for certificate verification.
Figure 22 Network diagram for configuring a PKI entity to request a certificate from a CA
Configuration procedure
Step1
Configure the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA
server at first:
•
Nickname: Name of the trusted CA.
•
Subject DN: DN information of the CA, including the Common Name (CN),
•
Organization Unit (OU),
•
Organization (O), and
•
Country (C).
The other attributes may use the default values.
# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration page of the CA server. This includes selecting the proper extension profiles, enabling
the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the device is synchronous to that of the
CA, so that the device can request certificates and retrieve CRLs properly.
Step2
Configure Device
# Create a PKI entity.