H3C Technologies H3C SecPath F1000-E User Manual
Page 806
32
•
Select RA as the authority for certificate request.
•
Type http://2.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request.
•
Type 2.1.1.102 as the IP address of the LDAP server, 389 as the port number, and 2 as the version
number.
•
Select Manual as the certificate request mode.
•
Click the expansion button before Advanced Configuration to display the advanced
configuration items.
•
Select the Enable CRL Checking check box.
•
Type ldap://2.1.1.102 as the URL for CRLs.
•
Click Apply. When the system displays “Fingerprint of the root certificate not specified. No root
certificate validation will occur. Continue?”, click OK to confirm.
# Generate an RSA key pair.
•
Select VPN > PKI > Certificate from the navigation tree and then click Create Key.
•
Click Apply to generate an RSA key pair.
# Retrieve the CA certificate.
•
Select VPN > PKI > Certificate from the navigation tree and then click Retrieve Cert.
•
Select 1 as the PKI domain.
•
Select CA as the certificate type.
•
Click Apply.
# Request a local certificate.
•
Select VPN > PKI > Certificate from the navigation tree and then click Request Cert.
•
Select 1 as the PKI domain.
•
Click Apply. When the system displays “Certificate request has been submitted”, click OK to
confirm.
# Retrieve the CRL.
•
After retrieving a local certificate, select VPN > PKI > CRL from the navigation tree.
•
Click Retrieve CRL of the PKI domain of 1.
# Configure IKE proposal 1, using RSA signature for identity authentication.
•
Select VPN > IKE > Proposal from the navigation tree and then click Add.
•
Type 1 as the IKE proposal number.
•
Select RSA Signature as the authentication method.
•
Click Apply.
# Configure an IKE peer and reference the configuration of the PKI domain for the IKE peer.
•
Select VPN > IKE > Peer from the navigation tree and then click Add.
•
Type peer as the peer name.
•
Select PKI Domain and then select the PKI domain of 1.
•
Click Apply.