HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

271

272

273

274

275

276

277

278

279

280

266

Item Descri

tion

Fingerprint Hash

Specify the fingerprint used for verifying the CA root certificate.

After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the

root certificate, namely, the hash value of the root certificate content. This hash value is

unique to every certificate. If the fingerprint of the root certificate does not match the one

configured for the PKI domain, the entity will reject the root certificate.

• If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint

must a string of 32 characters in hexadecimal notation.

• If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint

must a string of 40 characters in hexadecimal notation.

• If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will

not verify the CA root certificate, and you yourself must make sure the CA server is

trusted.

IMPORTANT:

The fingerprint must be configured if you specify the certificate request mode as Auto. If you

specify the certificate request mode as Manual, you can leave the fingerprint settings null. If

you do not configure the fingerprint, the entity will not verify the CA root certificate and you

yourself must make sure the CA server is trusted.

Fingerprint

Polling Count

Set the polling interval and attempt limit for querying the certificate request status.

After an entity makes a certificate request, the CA may need a long period of time if it

verifies the certificate request in manual mode. During this period, the applicant needs to

query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. These two items dictate the polling operation..

Polling Interval

Enable CRL

Checking

Select this box to specify that CRL checking is required during certificate verification.

CRL Update Period

Enter the CRL update period, that is, the interval at which the PKI entity downloads the

latest CRLs.

This item is available after you click the Enable CRL Checking box.

By default, the CRL update period depends on the next update field in the CRL file.

IMPORTANT:

The manually configured CRL update period takes precedent over that specified in the CRL

file.

CRL URL

Enter the URL of the CRL distribution point. The URL can be an IP address or a domain

name.

This item is available after you click the Enable CRL Checking box.

When the URL of the CRL distribution point is not set, you should acquire the CA

certificate and a local certificate, and then acquire a CRL through SCEP.

The following matrix shows the maximum number of PKI domains that can be created on different

firewalls and firewall modules:

Hardware U

er limit

F1000-A-EI/F1000-S-EI 32

F1000-E 32

F5000 32

F5000-S/F5000-C 32