R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

231

232

233

234

235

236

237

238

239

240

218

Configuring the device

1. Synchronize the system time of the device with the CA server, so that the device can correctly

request certificates or obtain CRLs.

2. Create an entity named aaa with the common name as Device.

<Device> system-view

[Device] pki entity aaa

[Device-pki-entity-aaa] common-name Device

[Device-pki-entity-aaa] quit

3. Configure a PKI domain:

# Create a PKI domain named torsa and enter its view.

[Device] pki domain torsa

# Specify the name of the trusted CA as myca.

[Device-pki-domain-torsa] ca identifier myca

# Configure the URL of the registration server in the form of http://host:port/Issuing Jurisdiction ID,

where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

[Device-pki-domain-torsa] certificate request url

http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337

# Specify the CA for accepting certificate requests.

[Device-pki-domain-torsa] certificate request from ca

# Specify the PKI entity name as aaa.

[Device-pki-domain-torsa] certificate request entity aaa

# Specify the URL of the CRL repository.

[Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl

# Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.

[Device-pki-domain-torsa] public-key rsa general name abc length 1024

[Device-pki-domain-torsa] quit

4. Generate a local RSA key pair.

[Device] public-key local create rsa name abc

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512,it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

..........................++++++

.....................................++++++

Create the key pair successfully.

5. Request a local certificate:

# Obtain the CA certificate and save it locally.

[Device] pki retrieve-certificate domain torsa ca

The trusted CA's finger print is:

MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB

SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8

Is the finger print correct?(Y/N):y

# Submit a certificate request manually. When an RSA Keon CA server is used, a password must

be specified.