Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
291292293294295296297298299300
288
Configuring a PKI entity to request a certificate from a CA
(method ii)
Network requirements
As shown in Figure 191, configure Firewall working as the PKI entity, so that:
Firewall submits a local certificate request to the CA server, which runs the RSA Keon software.
Firewall acquires CRLs for certificate verification.
Figure 191 Network diagram
Configuring the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server
at first:
Nickname—Name of the trusted CA
Subject DN—DN information of the CA, including the Common Name (CN)
Organization Unit (OU)
Organization (O)
Country (C)
The other attributes may use the default values.
# Configure extended attributes.
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the
SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior.
After completing the configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the configuration, make sure that the system clock of the device is synchronous to that of the CA, so
that the device can request certificates and retrieve CRLs properly.
Configuring Firewall
# Create a PKI entity.
Select VPN > Certificate Management > Entity from the navigation tree and then click Add to
perform the configurations shown in Figure 192.