4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

111

112

113

114

115

116

117

118

119

120

103

• FQDN of the entity.

• IP address of the entity.

Whether the categories are required or optional depends on the CA policy. Follow the CA policy to

configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only

the IP address, the CA rejects the certificate request from the entity.

The SCEP add-on on the Windows 2000 CA server has restrictions on the data length of a certificate

request. If a request for a PKI entity exceeds the data length limit, the CA server does not respond to the

certificate request. In this case, you can use an out-of-band means to submit the request and the CA

server can issue a certificate. Other types of CA servers, such as RSA servers and OpenCA servers, do

not have such restrictions.

To configure a PKI entity:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a PKI entity and enter

its view.

pki entity entity-name

By default, no PKI entities exist.

To create multiple PKI entities, repeat

this step.

3. Set a common name for the

entity.

common-name

common-name-sting

By default, the common name is not set.

4. Set the country code of the

entity.

country country-code-string By default, the country code is not set.

5. Set the locality of the entity.

locality locality-name By default, the locality is not set.

6. Set the organization of the

entity.

organization org-name By default, the organization is not set.

7. Set the unit of the entity in

the organization.

organization-unit org-unit-name

By default, the unit is not set.

8. Set the state where the entity

resides.

state state-name By default, the state is not set.

9. Set the FQDN of the entity.

fqdn fqdn-name-string By default, the FQDN is not set.

10. Configure the IP address of

the entity.

ip { ip-address | interface

interface-type

interface-number }

By default, the IP address is not

configured.

Configuring a PKI domain

A PKI domain contains enrollment information for a PKI entity. It is locally significant and is intended only

for reference by other applications like IKE.

The fingerprint of a CA root certificate is the hash value of the root certificate content. Each CA root

certificate has a unique hash value. You can specify the fingerprint used for verifying the root certificate

in the PKI domain.

After receiving a CA root certificate that does not exist locally, the PKI entity verifies the fingerprint of the

root certificate in the following cases:

• For an obtained or imported CA root certificate, if its fingerprint does not match the one configured

for the PKI domain, the device rejects the root certificate, and the obtain or import operation fails.