R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
301
NOTE:
The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine,
for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate
requests might be rejected.
To configure an entity DN:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an entity and enter its
view.
pki entity entity-name No entity exists by default.
3. Configure the common name
for the entity.
common-name name
Optional.
No common name is specified by default.
4. Configure the country code
for the entity.
country country-code-str
Optional.
No country code is specified by default.
5. Configure the FQDN for the
entity.
fqdn name-str
Optional.
No FQDN is specified by default.
6. Configure the IP address for
the entity.
ip ip-address
Optional.
No IP address is specified by default.
7. Configure the locality for the
entity.
locality locality-name
Optional.
No locality is specified by default.
8. Configure the organization
name for the entity.
organization org-name
Optional.
No organization is specified by default.
9. Configure the unit name for
the entity.
organization-unit
org-unit-name
Optional.
No unit is specified by default.
10. Configure the state or
province for the entity.
state state-name
Optional.
No state or province is specified by
default.
NOTE:
• Up to two entities can be created on a device.
• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
entity DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate
request.
Configuring a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,
which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance. The PKI domain configured on a device
is invisible to the CA and other devices, and each PKI domain has its own parameters.
A PKI domain is defined by these parameters:
• Trusted CA—An entity requests a certificate from a trusted CA.