R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

311

312

313

314

315

316

317

318

319

320

305

Configuration guidelines

If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This

restriction helps avoid inconsistency between the certificate and registration information resulted from

configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete

the existing CA certificate and the local certificate first.

Be sure that the device system time falls in the validity period of the certificate so that the certificate is

valid.

Configuration procedure

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.

To retrieve a certificate manually:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Retrieve a certificate

manually.

• In online mode:

pki retrieval-certificate { ca | local } domain

domain-name

• In offline mode:

pki import-certificate { ca | local } domain

domain-name { der | p12 | pem } [ filename filename ]

Use either

command. The pki

retrieval-certificate

configuration will

not be saved in the

configuration file.

NOTE:

In FIPS mode, make sure the algorithm in the certificate is supported by FIPS mode. Otherwise, the

certificate cannot be imported to the firewall.

Configuring PKI certificate verification

A certificate needs to be verified before being used. Verifying a certificate will check that the certificate

is signed by the CA and that the certificate has neither expired nor been revoked.

You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,

CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and

CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to

retrieve the CA certificate.

Configuring CRL-checking-enabled PKI certificate verification

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view. pki domain domain-name N/A

3. Specify the URL of the CRL

distribution point.

crl url url-string

Optional.

No CRL distribution point URL is

specified by default.

4. Set the CRL update period.

crl update-period hours

Optional.

By default, the CRL update period

depends on the next update field in the

CRL file.