4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

111

112

113

114

115

116

117

118

119

120

104

If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint

manually.

• For an obtained CA root certificate in an automatic local certificate request process that IKE triggers,

if its fingerprint does not match the one configured for the PKI domain, the device rejects the root

certificate, and the local certificate request fails. If you do not specify the fingerprint for the PKI

domain, the local certificate request fails.

To configure a PKI domain:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a PKI domain

and enter its view.

pki domain domain-name By default, no PKI domains exist.

3. Specify the trusted CA.

ca identifier name

By default, no trusted CA is

specified.

To obtain a CA certificate, the

trusted CA name must be provided.

The trusted CA name is in SCEP

messages, and the CA server does

not use this name unless the server

has two CAs configured with the

same registration server.

4. Specify the entity for

certificate request.

certificate request entity entity-name By default, no entity is specified.

5. Specify the authority

for accepting

certificate requests.

certificate request from { ca | ra }

By default, no authority is

specified.

6. Specify the URL of the

registration server for

certificate request.

certificate request url url-string

[ vpn-instance vpn-instance-name ]

By default, the URL of the

registration server is not specified.

Do not configure this command

when you request a certificate in

offline mode.

7. (Optional.) Set the

polling interval and

maximum number of

attempts for querying

the certificate request

status.

certificate request polling { count count |

interval minutes }

By default, the polling interval is 20

minutes, and the maximum number

of attempts is 50.

8. Specify the LDAP

server.

ldap-server host hostname [ port

port-number ] [ vpn-instance

vpn-instance-name ]

Required when the LDAP server

acts as the CRL repository, or the

URL of the CRL repository does not

contain the host name.

By default, no LDAP server is

specified.