R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

• Auto—In auto mode, an entity automatically requests a certificate through Simple Certification

Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it

has no local certificate or the present certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations:

Requesting a certificate manually

Table 27 Configuration task list for requesting a certificate manually

Task Remarks

Creating a PKI entity

Required

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and the identity information of an entity,

where the identity information is identified by an entity distinguished name (DN). A CA

identifies a certificate applicant uniquely by entity DN.

The identity settings of an entity must be compliant to the CA certificate issue policy.

Otherwise, the certificate request may be rejected.

Creating a PKI

domain

Required

Create a PKI domain, setting the certificate request mode to Manual.

Before requesting a PKI certificate, an entity needs to be configured with some

enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like

IKE and SSL, and has only local significance.

Generating an RSA

key pair

Required

Generate a local RSA key pair.

By default, no local RSA key pair exists.

Generating an RSA key pair is an important step in certificate request. The key pair

includes a public key and a private key. The private key is kept by the user, while the

public key is transferred to the CA along with some other information.

TIP:

If there is already a local certificate, you need to remove the certificate before generating

a new key pair, so as to keep the consistency between the key pair and the local

certificate.

Retrieving the CA

certificate

Required

Obtain the CA certificate and save it locally. For more information, see “Retrieving and

splaying a certificate.”

Certificate retrieval serves two purposes:

• Locally store the certificates associated with the local security domain for improved

query efficiency and reduced query count,

• Prepare for certificate verification.

TIP:

If there are already CA certificates locally, you cannot perform the CA certificate retrieval

operation. This is to avoid possible mismatch between certificates and registration

information resulting from relevant changes. To retrieve the CA certificate, you need to

remove the CA certificate and local certificate first.