R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

208

Ste

p

Command

Remarks

8. Specify the LDAP server.

ldap-server host hostname [ port

port-number ] [ vpn-instance

vpn-instance-name ]

Required when the LDAP server

acts as the CRL repository, or the

URL of the CRL repository does not

contain the host name.

By default, no LDAP server is

specified.

9. Specify the fingerprint

for root certificate

verification.

• In non-FIPS mode:

root-certificate fingerprint { md5 |

sha1 } string

• In FIPS mode:

root-certificate fingerprint sha1 string

Optional if you manually request

local certificates.

If you want to verify the fingerprint

manually, do not configure this

command.

By default, no fingerprint is

specified.

10. Specify the key pair for

certificate request.

• Specify an RSA key pair:

public-key rsa { { encryption name

encryption-key-name [ length

key-length ] | signature name

signature-key-name [ length

key-length ] } * | general name

key-name [ length key-length ] }

• Specify a DSA key pair:

public-key dsa name key-name

[ length key-length ]

Use either command.

By default, no key pair is specified.

You can specify a non-existing key

pair, which is generated during the

certificate application.

For information about how to

generate DSA and RSA key pairs,

see "Managing public keys."

11. (Optional.) Specify the

extended application of

the certificate.

usage { ike | ssl-client | ssl-server } *

By default, the certificate is for all

extended applications, including

IKE, SSL clients, and SSL server.

The extension of a certificate

depends on the certificate user,

and it is not limited by PKI.

The extension options contained in

an issued certificate depend on the

CA policy, and they might be

different from those specified in the

PKI domain.

12. Specify the source IP

address for the PKI

protocol packets.

• Specify the source IPv4 address for the

PKI protocol packets:

source ip { ip-address | interface

{interface-type interface-number }

• Specify the source IPv6 address for the

PKI protocol packets:

source ipv6 { ipv6-address | interface

{ interface-type interface-number }}

Required if the CA policy defines

the CA server to accept requests

from a specific IP address or

subnet.

Use one of the commands.

By default, the source IP address is

the outgoing interface IP address of

the route to the CA.