R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
97
To do… Use the command…
Remarks
Display information about one or
all certificate attribute groups
display pki certificate attribute-group
{ group-name | all }
Available in any view
Display information about one or
all certificate attribute-based
access control policies
display pki certificate access-control-policy
{ policy-name | all }
Available in any view
PKI configuration examples
NOTE:
• The SCEP add-on is required when you use the Windows Server as the CA. In this case, when
configuring the PKI domain, you need to use the certificate request from ra command to specify that the
entity requests a certificate from an RA.
• The SCEP add-on is not required when RSA Keon is used. In this case, when confi
g
urin
g
a PKI domain,
you need to use the certificate request from ca command to specify that the entity requests a certificate
from a CA.
Requesting a certificate from a CA running RSA Keon
NOTE:
The CA server runs RSA Keon in this configuration example.
1. Network requirements
• The LB module submits a local certificate request to the CA server.
• The LB module acquires the CRLs for certificate verification.
Figure 98 Request a certificate from a CA running RSA Keon
2. Configure the CA server
# Create a CA server named myca.
In this example, you need to configure these basic attributes on the CA server at first:
• Nickname: Name of the trusted CA.
• Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit
(OU), Organization (O), and Country (C).
The other attributes may be left using the default values.
# Configure extended attributes.
After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration
page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.