beautypg.com

Submitting a pki certificate request – H3C Technologies H3C SecBlade LB Cards User Manual

Page 144

background image

133

Polling interval and count—After an applicant makes a certificate request, the CA might need a

long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. You can configure the polling interval and count to query the request status.

IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.
If this is the case, you need to configure the IP address of the LDAP server.

Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate

content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.

To configure a PKI domain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a PKI domain and

enter its view.

pki domain domain-name

No PKI domain exists by default.
You can configure up to 32 PKI domains
on a device.

3.

Specify the trusted CA.

ca identifier name

No trusted CA is specified by default.
The CA name is required only when you
retrieve a CA certificate. It is not used for

local certificate request.

4.

Specify the entity for
certificate request.

certificate request entity

entity-name

No entity is specified by default.
The specified entity must exist.

5.

Specify the authority for
certificate request.

certificate request from { ca |
ra }

No authority is specified by default.

6.

Configure the URL of the
server for certificate request.

certificate request url
url-string

No URL is configured by default.
The URL does not support domain name
resolution.

7.

Configure the polling interval

and attempt limit for querying
the certificate request status.

certificate request polling
{ count count | interval

minutes }

Optional.
The polling is executed for up to 50 times
at the interval of 20 minutes by default.

8.

Specify the LDAP server.

ldap-server ip ip-address
[ port port-number ] [ version

version-number ]

Optional.
No LDP server is specified by default.

9.

Configure the fingerprint for
root certificate verification.

root-certificate fingerprint

{ md5 | sha1 } string

Required when the certificate request
mode is auto and optional when the

certificate request mode is manual. In the
latter case, if you do not configure this

command, the fingerprint of the root

certificate must be verified manually.
No fingerprint is configured by default.

Submitting a PKI certificate request

When requesting a certificate, an entity introduces itself to the CA by providing its identity information

and public key, which will be the major components of the certificate. A certificate request can be

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: