R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

231

232

233

234

235

236

237

238

239

240

221

Configuring the device

1. Synchronize the system time of the device with the CA server, so that the device can correctly

request a certificate.

2. Create an entity named aaa with the common name as test.

<Device> system-view

[Device] pki entity aaa

[Device-pki-entity-aaa] common-name test

[Device-pki-entity-aaa] quit

3. Configure a PKI domain:

# Create a PKI domain named winserver and enter its view.

[Device] pki domain winserver

# Specify the name of the trusted CA as myca.

[Device-pki-domain-winserver] ca identifier myca

# Configure the URL of the registration server in the form of

http://host:port/certsrv/mscep/mscep.dll, where host:port is the host IP address and port number

of the CA server.

[Device-pki-domain-winserver] certificate request url

http://4.4.4.1:8080/certsrv/mscep/mscep.dll

# Specify the RA to accept certificate requests.

[Device-pki-domain-winserver] certificate request from ra

# Specify the PKI entity name as aaa.

[Device-pki-domain-winserver] certificate request entity aaa

# Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.

[Device-pki-domain-winserver] public-key rsa general name abc length 1024

[Device-pki-domain-winserver] quit

4. Generate an RSA local key pair:

[Device] public-key local create rsa name abc

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512,it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

..........................++++++

.....................................++++++

Create the key pair successfully.

5. Request a local certificate:

# Obtain the CA certificate and save it locally.

[Device] pki retrieve-certificate domain winserver ca

The trusted CA's finger print is:

MD5 fingerprint:766C D2C8 9E46 845B 4DCE 439C 1C1F 83AB

SHA1 fingerprint:97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4

Is the finger print correct?(Y/N):y

# Submit a certificate request manually.

[Device] pki request-certificate domain winserver

Start to request the general certificate ...

…