4000 Router Series Security Configuration Guide

123

81:99:31:89

To display detailed information about the CA certificate, use the display pki certificate domain

command.

IKE negotiation with RSA digital signature from a Windows

2003 CA server

Network requirements

Device A and Device B establish an IPsec tunnel to protect the traffic between Host A on subnet

10 .1.1.0 / 24 a n d H o s t B o n s u b n e t 1.1.1.0 / 24 .

Device A and Device use IKE to set up SAs, and the IKE proposal uses RSA digital signature for identity

authentication.

Device A and Device B use the same CA.

Figure 36 Network diagram

Configuring the CA server

In this example, a Windows 2003 server acts as the CA server. For information about how to configure

such a server, see "Certificate request from a Windows 2003 CA server."

Configuring Device A

# Configure a PKI entity.

<DeviceA> system-view

[DeviceA] pki entity en

[DeviceA-pki-entity-en] ip 2.2.2.1

[DeviceA-pki-entity-en] common-name devicea