Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
411412413414415416417418419420
397
In this example, the CA server runs Windows Server and has the SCEP plug-in installed.
Figure 131 Network diagram
Configuration considerations
To meet the network requirements, perform the following tasks:
Configure Device to work as the HTTPS server and request a certificate for Device.
Request a certificate for Host so that Device can authenticate the identity of Host.
Configure a CA server to issue certificates to Device and Host.
Configuration procedure
Before performing the following tasks, make sure Device, Host, and the CA server can reach each other.
1. Configure the HTTPS server on Device:
# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN
as ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create PKI domain 1, specify the trusted CA as CA server, the URL of the registration server as
http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the
entity for certificate request as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier ca server
[Device-pki-domain-1] certificate request url
http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create the local RSA key pairs.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate for Device.
[Device] pki request-certificate domain 1
# Create an SSL server policy named myssl.
[Device] ssl server-policy myssl