H3C Technologies H3C SecBlade LB Cards User Manual
Page 150
139
The LB product submits a local certificate request to the CA server. The device acquires the CRLs for
certificate verification.
Figure 67 Network diagram
2.
Configuring the CA server
# Create a CA server named myca:
a.
Configure these basic attributes on the CA server:
{
Nickname—Name of the trusted CA.
{
Subject DN—DN information of the CA, including the Common Name (CN), Organization Unit
(OU), Organization (O), and Country (C).
b.
Use the default settings for the other attributes.
# Configure extended attributes:
After configuring the basic attributes, perform configuration on the jurisdiction configuration page
of the CA server. Select the proper extension profiles, enable the SCEP autovetting function, and
add the IP address list for SCEP autovetting.
# Configure the CRL distribution behavior:
After completing the configuration, perform CRL related configurations. In this example, select the
local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.
After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that
the device can request certificates and retrieve CRLs properly.
3.
Configuring the LB product
a.
Configure the entity name as aaa and the common name as lb:
[LB] pki entity aaa
[LB-pki-entity-aaa] common-name lb
[LB-pki-entity-aaa] quit
b.
Configure the PKI domain:
# Create PKI domain torsa and enter its view.
[LB] pki domain torsa
# Configure the name of the trusted CA as myca.
[LB-pki-domain-torsa] ca identifier myca
# Configure the URL of the registration server in the format of http://host:port/Issuing
Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA
server.
[LB-pki-domain-torsa] certificate request url
http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337
# Set the registration authority to CA.
[LB-pki-domain-torsa] certificate request from ca
# Specify the entity for certificate request as aaa.