R2511-HP MSR Router Series Security Configuration Guide(V5)

264

CA Issuers - URI:http://l00192b/CertEnroll/l00192b_CA%20server.crt

CA Issuers - URI:file://\\l00192b\CertEnroll\l00192b_CA server.crt

1.3.6.1.4.1.311.20.2:

.0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e

…

You can also use some other display command, for example, the display pki certificate ca domain

command, to display more information about the CA certificate.

IKE negotiation with RSA digital signature

Network requirements

An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on subnet

10 .1.1. 0 / 2 4 a n d H o s t B o n s u b n e t 11.1.1.0 / 24 .

Router A and Router B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate

system for identity authentication. Router A and Router B use the same CA.

Figure 72 Network diagram

Configuration procedure

1. Configure Router A:

# Configure the entity DN.

<RouterA> system-view

[RouterA] pki entity en

[RouterA-pki-entity-en] ip 2.2.2.1

[RouterA-pki-entity-en] common-name routera

[RouterA-pki-entity-en] quit