HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

261

262

263

264

265

266

267

268

269

270

260

Configuring PKI in the Web interface

Recommended configuration procedure

The device supports the following PKI certificate request modes:

• Manual—In manual mode, you need to manually retrieve the CA certificate, generate a local RSA

key pair, and submit a local certificate request for an entity.

• Auto—In auto mode, an entity automatically requests a certificate through Simple Certification

Enrollment Protocol (SCEP, a dedicated protocol for an entity to communicate with a CA) when it

has no local certificate or the existing certificate is about to expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes

require different configurations.

Recommended configuration procedure for manual request

Ste

Remarks

1. Creating a PKI entity

Required.

Create a PKI en

tity and configure the identity information.

A certificate is the binding of a public key and the identity information of

an entity, where the distinguished name (DN) shows the identity

information of the entity. A CA identifies a certificate applicant uniquely

by an entity DN.

The DN settings of an entity must be compliant to the CA certificate issue

policy. Otherwise, the certificate request might be rejected. You must

know the policy to determine which entity parameters are mandatory or

optional.

2. Creating a PKI domain

Required.

Create a PKI domain, setting the certificate request mode to Manual.

Before requesting a PKI certificate, an entity needs to be configured with

some enrollment information, which is called a PKI domain.

A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance.

3. Generating an RSA key pair

Required.

Generate a local RSA key pair.

By default, no local RSA key pair exists.

Generating an RSA key pair is an important step in certificate request.

The key pair includes a public key and a private key. The private key is

kept by the user, and the public key is transferred to the CA along with

some other information.

IMPORTANT:

If a local certificate already exists, remove the certificate before generating

a new key pair to keep the consistency between the key pair and the local

certificate.