3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

191

192

193

194

195

196

197

198

199

200

Certificate Request Configuration 195

Creating a Public -

Private Key Pair

A pair of keys is generated during certificate request: one public and the other

private. The private key is held by the user, while the public key and other

information are transferred to CA center for signature and then the generation of

the certificate. Each CA certificate has a lifetime that is determined by the CA

issuing certificates. When the private key leaks or the current certificate is about to

expire, you have to delete the old key pair. Then another key pair can be

generated for a new certificate.

This configuration is used to generate local key pairs. If an RSA key pair already

exists, the system prompts whether to replace it. The naming mode of key pairs:

IPsec module name + host. The minimum length of a host key is 512 bits and the

maximum length is 2,048 bits.

Perform the following configuration in system view.

By default, there is no existing local RSA key pair. You have to create an RSA key

pair by yourself.

CAUTION:

■ If a local certificate already exists, you are not recommended to create another

key pair in order to keep the key consistent with the existing certificate. You

should first delete the existing certificate and then create a new key pair.

■ If a local RSA key pair exists, the newly-generated key pair will overwrite the

existing one.

■ The key pairs are originally for the use in SSH. Local server regularly updates

local server key pair. However, the host key pair used in certificate request

remains unchanged.

Configuring Polling

Interval and Count

If CA examines certificate request in manual mode, then a long time may be

required before the certificate is issued. In this period, you need to query the

request status periodically, so that you may get the certificate right after it is

issued.

Perform the following configuration in PKI domain view.

By default, the request polling message is sent for 50 times at an interval of 20

minutes.

Tab le 201 Create and destroy an RSA key pair

Operation Command

Create a local RSA key pair rsa local-key-pair create

Destroy a local RSA key pair rsa local-key-pair destroy

Tab le 202 Configure polling interval and count

Operation Command

Configure polling interval and count

certificate request polling { interval

minutes | count count }

Restore the default values

undo certificate request polling { interval |

count }