HP MSR4060 Router Chassis : R0106-HP MSR Router Series Security Configuration Guide(V7) : Page 7

v

Network requirements ········································································································································· 189

Configuration procedure ···································································································································· 189

Verifying the configuration ································································································································· 191

Managing public keys ············································································································································ 192

Overview ······································································································································································· 192

FIPS compliance ··························································································································································· 192

Creating a local key pair ············································································································································ 193

Configuration guidelines ···································································································································· 193

Configuration procedure ···································································································································· 193

Distributing a local host public key ···························································································································· 194

Exporting a host public key in a specific format to a file ················································································ 194

Displaying a host public key in a specific format and saving it to a file ······················································ 194

Displaying a host public key ······························································································································ 195

Destroying a local key pair ········································································································································· 195

Configuring a peer public key ···································································································································· 196

Importing a peer host public key from a public key file ·················································································· 196

Entering a peer public key ································································································································· 196

Displaying and maintaining public keys ··················································································································· 197

Public key management examples ····························································································································· 197

Example for entering a peer public key ············································································································ 197

Example for importing a public key from a public key file ············································································· 199

Configuring PKI ······················································································································································· 202

Overview ······································································································································································· 202

PKI terminology ···················································································································································· 202

PKI architecture ···················································································································································· 203

PKI operation ······················································································································································· 204

PKI applications ··················································································································································· 204

Support for MPLS L3VPN ···································································································································· 204

FIPS compliance ··························································································································································· 205

Security strength ··························································································································································· 205

PKI configuration task list ············································································································································ 205

Configuring a PKI entity ·············································································································································· 206

Configuring a PKI domain ··········································································································································· 206

Requesting a certificate ··············································································································································· 209

Configuring automatic certificate request ········································································································· 209

Manually requesting a certificate ······················································································································ 210

Aborting a certificate request ····································································································································· 211

Obtaining certificates ·················································································································································· 211

Configuration prerequisites ································································································································ 211

Configuration guidelines ···································································································································· 212

Configuration procedure ···································································································································· 212

Verifying PKI certificates ·············································································································································· 212

Verifying certificates with CRL checking ··········································································································· 212

Verifying certificates without CRL checking ······································································································ 213

Specifying the storage path for the certificates and CRLs ······················································································· 214

Exporting certificates ··················································································································································· 214

Removing a certificate ················································································································································· 215

Configuring a certificate access control policy ········································································································· 215

Displaying and maintaining PKI ································································································································· 216

PKI configuration examples ········································································································································· 217

Certificate request from an RSA Keon CA server ···························································································· 217

Certificate request from a Windows 2003 CA server ···················································································· 220

Certificate request from an OpenCA server ····································································································· 223