F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100
302
266BDisplaying PKI
Task Command
Remarks
Display the contents or request
status of a certificate.
display pki certificate { { ca | local }
domain domain-name | request-status }
[ | { begin | exclude | include }
regular-expression ]
Available in any view.
Display CRLs.
display pki crl domain domain-name [ |
{ begin | exclude | include }
regular-expression ]
Available in any view.
Display information about one or
all certificate attribute groups.
display pki certificate attribute-group
{ group-name | all } [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display information about one or
all certificate attribute-based
access control policies.
display pki certificate
access-control-policy { policy-name |
all } [ | { begin | exclude | include }
regular-expression ]
Available in any view.
267BCertificate request from an RSA Keon CA server configuration
example
529BNetwork requirements
The firewall submits a local certificate request to the CA server. The firewall obtains the CRLs for
certificate verification.
Figure 210 Network diagram
530BConfiguring the CA server
1. Create a CA server named myca:
a. Configure these basic attributes on the CA server:
b. Nickname—Name of the trusted CA.
c. Subject DN—DN information of the CA, including the Common Name (CN), Organization
Unit (OU), Organization (O), and Country (C).
d. Use the default settings for the other attributes.
2. Configure extended attributes:
After configuring the basic attributes, perform configuration on the jurisdiction configuration page
of the CA server. Select the proper extension profiles, enable the SCEP autovetting function, and
add the IP address list for SCEP autovetting.
3. Configure the CRL distribution behavior: