R0106-HP MSR Router Series Security Configuration Guide(V7)
232
.....................................++++++
Create the key pair successfully.
# Obtain the CA certificate and save it locally.
[DeviceB] pki retrieve-certificate ca domain 1
# Submit a certificate request manually.
[DeviceB] pki request-certificate domain 1
# Create IKE proposal 1, and configure the authentication method as RSA digital signature.
[DeviceB] ike proposal 1
[DeviceB-ike-proposal-1] authentication-method rsa-signature
[DeviceB-ike-proposal-1] quit
# Reference the PKI domain used in IKE negotiation for the IKE profile peer.
[DeviceB] ike profile peer
[DeviceB-ike-profile-peer] certificate domain 1
The configurations are for IKE negotiation with RSA digital signature. For information about how to
configure IPsec SAs to be set up, see "Configuring IPsec."
Certificate access control policy configuration example
Network requirements
The host accesses the device through HTTPS.
SSL is employed to protect the device against illegal access.
Configure a certificate access control policy on the device to authenticate the host and verifies the validity
of the host's certificates.
Figure 72 Network diagram
Before the configuration, complete the following tasks:
1. Create the PKI domain domain1 to be referenced by SSL.
2. The device must request a local certificate from the CA server as the SSL server certificate.
Configuration procedure
1. Configure the HTTPS server (the device):
# Enable the HTTPS services.
<Device> system-view
# Configure the SSL policy for the HTTPS server.
[Device] ssl server-policy abc
[Device-ssl-server-policy-abc] pki-domain domain1