R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
308
Task Command
Remarks
Display information about one
or all certificate attribute
groups.
display pki certificate attribute-group
{ group-name | all } [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display information about one
or all certificate attribute-based
access control policies.
display pki certificate access-control-policy
{ policy-name | all } [ | { begin | exclude |
include } regular-expression ]
Available in any view
PKI configuration examples at the CLI
CAUTION:
• The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you
configure the PKI domain, use the certificate request from ra command to specify that the entity
requests a certificate from an RA.
• The SCEP add-on is not required when RSA Keon is used. In this case, when you configure a PKI
domain, use the certificate request from ca command to specify that the entity requests a certificate
from a CA.
Requesting a certificate from a CA server running RSA Keon
Network requirements
• As a PKI entity, Firewall submits a local certificate request to the CA server.
• Firewall acquires the CRLs for certificate verification.
Figure 207 Network diagram
Configuring the CA server
1. Create a CA server named myca:
In this example, you need to configure these basic attributes on the CA server at first:
{ Nickname—Name of the trusted CA.
{ Subject DN—DN information of the CA, including the Common Name (CN), Organization
Unit (OU), Organization (O), and Country (C).
The other attributes might be left using the default values.
2. Configure extended attributes:
After configuring the basic attributes, you need to perform configuration on the jurisdiction
configuration page of the CA server. This includes selecting the proper extension profiles,
enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
3. Configure the CRL distribution behavior: