Configuration guidelines – H3C Technologies H3C SecPath F1000-E User Manual

33

NOTE:

The above configuration procedure covers only the configurations for IKE negotiation using RSA digital
signature. For an IPsec tunnel to be established, you also need to perform IPsec configurations. For more

information about IPsec configuration, see

IPsec Configuration in the Firewall Web Configuration

Manual.

Configuration Guidelines

When configuring PKI, note that:

•

Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.

•

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not

respond to the certificate request.

•

The SCEP add-on is required when you use the Windows Server as the CA. In this case, you need
to specify RA as the authority for certificate request when configuring the PKI domain.

•

The SCEP add-on is not required when you use the RSA Keon software as the CA. In this case, you
need to specify CA as the authority for certificate request when configuring the PKI domain.