R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

211

212

213

214

215

216

217

218

219

220

207

The fingerprint of a CA root certificate is the hash value of the root certificate content. Each CA root

certificate has a unique hash value. You can specify the fingerprint used for verifying the root certificate

in the PKI domain.

After receiving a CA root certificate that does not exist locally, the PKI entity verifies the fingerprint of the

root certificate in the following cases:

• For an obtained or imported CA root certificate, if its fingerprint does not match the one configured

for the PKI domain, the device rejects the root certificate, and the obtain or import operation fails.

If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint

manually.

• For an obtained CA root certificate in an automatic local certificate request process that IKE triggers,

if its fingerprint does not match the one configured for the PKI domain, the device rejects the root

certificate, and the local certificate request fails. If you do not specify the fingerprint for the PKI

domain, the local certificate request fails.

To configure a PKI domain:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a PKI domain

and enter its view.

pki domain domain-name By default, no PKI domains exist.

3. Specify the trusted CA.

ca identifier name

By default, no trusted CA is

specified.

To obtain a CA certificate, the

trusted CA name must be provided.

The trusted CA name is in SCEP

messages, and the CA server does

not use this name unless the server

has two CAs configured with the

same registration server.

4. Specify the entity for

certificate request.

certificate request entity entity-name By default, no entity is specified.

5. Specify the authority for

accepting certificate

requests.

certificate request from { ca | ra }

By default, no authority is

specified.

6. Specify the URL of the

registration server for

certificate request.

certificate request url url-string

[ vpn-instance vpn-instance-name ]

By default, the URL of the

registration server is not specified.

Do not configure this command

when you request a certificate in

offline mode.

7. (Optional.) Set the

polling interval and

maximum number of

attempts for querying

the certificate request

status.

certificate request polling { count count |

interval minutes }

By default, the polling interval is 20

minutes, and the maximum number

of attempts is 50.