beautypg.com

Configuring a pki domain – H3C Technologies H3C SecBlade LB Cards User Manual

Page 143

background image

132

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an entity and enter its

view.

pki entity entity-name

No entity exists by default.
You can create up to two entities on a
device.

3.

Configure the common name
for the entity.

common-name name

Optional.
No common name is specified by default.

4.

Configure the country code

for the entity.

country country-code-str

Optional.
No country code is specified by default.

5.

Configure the FQDN for the
entity.

fqdn name-str

Optional.
No FQDN is specified by default.

6.

Configure the IP address for

the entity.

ip ip-address

Optional.
No IP address is specified by default.

7.

Configure the locality for the
entity.

locality locality-name

Optional.
No locality is specified by default.

8.

Configure the organization
name for the entity.

organization org-name

Optional.
No organization is specified by default.

9.

Configure the unit name for

the entity.

organization-unit
org-unit-name

Optional.
No unit is specified by default.

10.

Configure the state or
province for the entity.

state state-name

Optional.
No state or province is specified by default.

NOTE:

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity
DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.

Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other

applications like SSL, and has only local significance. The PKI domain configured on a device is invisible

to the CA and other devices, and each PKI domain has its own parameters.
A PKI domain is defined by these parameters:

Trusted CA—An entity requests a certificate from a trusted CA.

Entity—A certificate applicant uses an entity to provide its identity information to a CA.

RA—Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, examines its qualification, and determines whether to ask the CA

to sign a digital certificate. The RA only examines the application qualification of an entity. It does

not issue any certificate. Sometimes, the registration management function is provided by the CA,

in which case no independent RA is required. H3C recommends you to deploy an independent RA.

URL of the registration server—An entity sends a certificate request to the registration server

through SCEP, a dedicated protocol for an entity to communicate with a CA.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: