R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

141

142

143

144

145

146

147

148

149

150

141

• Subject DN: DN information of the CA, including the Common Name (CN),

• Organization Unit (OU),

• Organization (O), and

• Country (C).

The other attributes may use the default values.

# Configure extended attributes

After configuring the basic attributes, perform configuration on the Jurisdiction Configuration page of the

CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function,

and adding the IP address list for SCEP autovetting.

# Configure the CRL publishing behavior

After completing the configuration, you need to perform CRL related configurations.

In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to

http://4.4.4.133:447/myca.crl.

After the configuration, make sure that the system clock of the device is synchronous to that of the CA, so

that the device can request certificates and retrieve CRLs properly.

b. Configure Firewall

# Create a PKI entity.

• Select VPN > PKI > Entity from the navigation tree and then click Add.

• Type aaa as the PKI entity name.

• Type device as the common name.

• Click Apply.

# Create a PKI domain.

• Select VPN > PKI > Domain from the navigation tree and then click Add.

• Type torsa as the PKI domain name.

• Type myca as the CA identifier.

• Select aaa as the local entity.

• Select CA as the authority for certificate request.

• Type http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for

certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where

Issuing Jurisdiction ID is the hexadecimal string generated on the CA.

• Select Manual as the certificate request mode.

• Click Display Advanced Config to display the advanced configuration items.

• Select the Enable CRL Checking check box.

• Type http://4.4.4.133:447/myca.crl as the CRL URL.

• Click Apply.

# Generate an RSA key pair.

• Select VPN > PKI >

Certificate f

rom the navigation tree and then click Create Key.

• Click Apply to generate an RSA key pair.

# Retrieve the CA certificate.

• Select VPN > PKI > Certificate from the navigation tree and then click Retrieve Cert.