R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101
512
NOTE:
In this example, Windows Server works as the CA and the Simple Certificate Enrollment Protocol (SCEP)
plug-in is installed on the CA.
Figure 236 Network diagram for SSL server policy configuration
Configuration procedure
1. Request a certificate for Firewall
# Configure a PKI entity named en.
<Firewall> system-view
[Firewall] pki entity en
[Firewall-pki-entity-en] common-name http-server1
[Firewall-pki-entity-en] fqdn ssl.security.com
[Firewall-pki-entity-en] quit
# Configure a PKI domain.
[Firewall] pki domain 1
[Firewall-pki-domain-1] ca identifier ca1
[Firewall-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Firewall-pki-domain-1] certificate request from ra
[Firewall-pki-domain-1] certificate request entity en
[Firewall-pki-domain-1] quit
# Create the local RSA key pairs.
[Firewall] public-key local create rsa
# Retrieve the CA certificate.
[Firewall] pki retrieval-certificate ca domain 1
# Request a local certificate.
[Firewall] pki request-certificate domain 1
2. Configure an SSL server policy
# Create an SSL server policy named myssl.
[Firewall] ssl server-policy myssl
# Specify the PKI domain for the SSL server policy as 1.
[Firewall-ssl-server-policy-myssl] pki-domain 1
# Enable client authentication.
[Firewall-ssl-server-policy-myssl] client-verify enable
[Firewall-ssl-server-policy-myssl] quit