R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
85
Configuring a PKI entity to request a certificate from a CA (method II)
1. Network requirements
As shown in Figure 91, c
onfigure the LB module working as the PKI entity, so that:
• The LB module submits a local certificate request to the CA server, which runs the RSA Keon
software.
• The LB module acquires CRLs for certificate verification.
Figure 91 Network diagram for configuring a PKI entity to request a certificate from a CA
2. Configure the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server
at first:
• Nickname—Name of the trusted CA
• Subject DN—DN information of the CA, including the Common Name (CN)
• Organization Unit (OU)
• Organization (O)
• Country (C)
The other attributes may use the default values.
# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the
SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the LB module is synchronous to that of
the CA, so that the LB module can request certificates and retrieve CRLs properly.
3. Configure the LB module
# Create a PKI entity.
• Select Security > PKI > Entity from the navigation tree and then click Add to perform the
configurations shown in Figure 92.