R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
302
• Entity—A certificate applicant uses an entity to provide its identity information to a CA.
• RA—Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, checks its qualification, and determines whether to ask the CA
to sign a digital certificate. The RA only checks the application qualification of an entity; it does not
issue any certificate. Sometimes, the registration management function is provided by the CA, in
which case no independent RA is required. HP recommends you to deploy an independent RA.
• URL of the registration server—An entity sends a certificate request to the registration server through
Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate
with a CA.
• Polling interval and count—After an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed. You can configure the polling interval and count to query the request status.
• IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If
this is the case, you need to configure the IP address of the LDAP server.
• Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate
content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.
To configure a PKI domain:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a PKI domain and
enter its view.
pki domain domain-name No PKI domain exists by default.
3. Specify the trusted CA. ca identifier name No trusted CA is specified by default.
4. Specify the entity for
certificate request.
certificate request entity
entity-name
No entity is specified by default.
The specified entity must exist.
5. Specify the authority for
certificate request.
certificate request from { ca |
ra }
No authority is specified by default.
6. Configure the URL of the
server for certificate request.
certificate request url
url-string
No URL is configured by default.
7. Configure the polling interval
and attempt limit for querying
the certificate request status.
certificate request polling
{ count count | interval
minutes }
Optional.
The polling is executed for up to 50 times
at the interval of 20 minutes by default.
8. Specify the LDAP server.
ldap-server ip ip-address
[ port port-number ] [ version
version-number ]
Optional.
No LDP server is specified by default.
9. Configure the fingerprint for
root certificate verification.
root-certificate fingerprint
{ md5 | sha1 } string
Required when the certificate request
mode is auto and optional when the
certificate request mode is manual. In the
latter case, if you do not configure this
command, the fingerprint of the root
certificate must be verified manually.
No fingerprint is configured by default.