R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

231

232

233

234

235

236

237

238

239

240

222

Ste

Command

Remarks

4. Configure the country code

for the entity.

country country-code-str

Optional.

No country code is specified by

default.

5. Configure the FQDN for the

entity.

fqdn name-str

Optional.

No FQDN is specified by default.

6. Configure the IP address for

the entity.

ip ip-address

Optional.

No IP address is specified by

default.

7. Configure the locality for the

entity.

locality locality-name

Optional.

No locality is specified by default.

8. Configure the organization

name for the entity.

organization org-name

Optional.

No organization is specified by

default.

9. Configure the unit name for

the entity.

organization-unit org-unit-name

Optional.

No unit is specified by default.

10. Configure the state or

province for the entity.

state state-name

Optional.

No state or province is specified by

default.

NOTE:

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity

DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.

Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance. The PKI domain configured on a device

is invisible to the CA and other devices, and each PKI domain has its own parameters.

A PKI domain is defined by these parameters:

• Trusted CA—An entity requests a certificate from a trusted CA.

• Entity—A certificate applicant uses an entity to provide its identity information to a CA.

• RA—Generally, an independent RA is in charge of certificate request management. It receives the

registration request from an entity, examines its qualification, and determines whether to ask the CA

to sign a digital certificate. The RA only examines the application qualification of an entity. It does

not issue any certificate. Sometimes, the registration management function is provided by the CA,

in which case no independent RA is required. HP recommends that you to deploy an independent

RA.

• URL of the registration server—An entity sends a certificate request to the registration server

through SCEP, a dedicated protocol for an entity to communicate with a CA.

• Polling interval and count—After an applicant makes a certificate request, the CA might need a

long period of time if it verifies the certificate request manually. During this period, the applicant