beautypg.com

H3C Technologies H3C SecBlade LB Cards User Manual

Page 122

background image

111

Recommended configuration procedure for manual request

Step Remarks

1. Creating a PKI entity

Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of

an entity, where the distinguished name (DN) shows the identity
information of the entity. A CA identifies a certificate applicant uniquely

by an entity DN.
The DN settings of an entity must be compliant to the CA certificate issue

policy. Otherwise, the certificate request might be rejected. You must
know the policy to determine which entity parameters are mandatory or

optional.

2. Creating a PKI domain

Required.
Create a PKI domain, setting the certificate request mode to Manual.
Before requesting a PKI certificate, an entity needs to be configured with
some enrollment information, which is called a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.

3. Generating an RSA key pair

Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request.
The key pair includes a public key and a private key. The private key is

kept by the user, and the public key is transferred to the CA along with
some other information.

IMPORTANT:

If a local certificate already exists, remove the certificate before generating

a new key pair to keep the consistency between the key pair and the local

certificate.

4.

Retrieving the CA certificate

Required.
Obtain the CA certificate and save it locally. For more information, see
"

Retrieving and displaying a certificate

."

Certificate retrieval serves the following purposes:

Locally store the certificates associated with the local security domain

for improved query efficiency and reduced query count,

Prepare for certificate verification.

IMPORTANT:

If a local CA certificate already exists, you cannot perform the CA

certificate retrieval operation. This helps avoid possible mismatch between

certificates and registration information resulting from relevant changes. To
retrieve the CA certificate, you must remove the CA certificate and local

certificate first.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: