R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

231

232

233

234

235

236

237

238

239

240

223

needs to query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. You can configure the polling interval and count to query the request status.

• IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.

If this is the case, you need to configure the IP address of the LDAP server.

• Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity

needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate

content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not

match the one configured for the PKI domain, the entity will reject the root certificate.

To configure a PKI domain:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a PKI domain and

enter its view.

pki domain domain-name

No PKI domain exists by default.

You can configure up to 32 PKI

domains on a device.

3. Specify the trusted CA.

ca identifier name

No trusted CA is specified by

default.

The CA name is required only

when you obtain a CA certificate.

It is not used for local certificate

request.

4. Specify the entity for

certificate request.

certificate request entity

entity-name

No entity is specified by default.

The specified entity must exist.

5. Specify the authority for

certificate request.

certificate request from { ca | ra }

No authority is specified by

default.

6. Configure the URL of the

server for certificate request.

certificate request url url-string

No URL is configured by default.

The URL does not support domain

name resolution.

7. Configure the polling interval

and attempt limit for querying

the certificate request status.

certificate request polling { count

count | interval minutes }

Optional.

The polling is executed for up to 50

times at the interval of 20 minutes

by default.

8. Specify the LDAP server.

ldap-server ip ip-address [ port

port-number ] [ version

version-number ]

Optional.

No LDP server is specified by

default.

9. Configure the fingerprint for

root certificate verification.

root-certificate fingerprint { md5 |

sha1 } string

Required when the certificate

request mode is auto and optional

when the certificate request mode

is manual. In the latter case, if you

do not configure this command, the

fingerprint of the root certificate

must be verified manually.

No fingerprint is configured by

default.