4000 Router Series Security Configuration Guide

114

If you use RSA Keon, the SCEP add-on is not required. When you configure a PKI domain, you must use

the certificate request from ca command to specify the CA to accept certificate requests for PKI entity

enrollment to a CA.

Certificate request from an RSA Keon CA server

Network requirements

Configure the PKI entity (the device) to request a local certificate from the CA server.

Figure 33 Network diagram

Configuring the CA server

1. Create a CA server named myca:

In this example, you must configure these basic attributes on the CA server:

{ Nickname—Name of the trusted CA.

{ Subject DN—DN attributes of the CA, including the common name (CN), organization unit

(OU), organization (O), and country (C).

You can use the default values for the other attributes.

2. Configure extended attributes:

Enter the management interface for the CA server, and do the following for the jurisdiction

configuration:

{ Select the proper extension profiles.

{ Enable the SCEP autovetting function.

{ Specify the IP address list for SCEP autovetting.

Configuring the device

1. Synchronize the system time of the device with the CA server, so that the device can correctly

request certificates or obtain CRLs.

2. Create an entity named aaa with the common name as Device.

<Device> system-view

[Device] pki entity aaa

[Device-pki-entity-aaa] common-name Device

[Device-pki-entity-aaa] quit

3. Configure a PKI domain:

# Create a PKI domain named torsa and enter its view.

[Device] pki domain torsa

# Specify the name of the trusted CA as myca.

[Device-pki-domain-torsa] ca identifier myca

# Configure the URL of the registration server in the form of http://host:port/Issuing Jurisdiction ID,

where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.