HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

291

292

293

294

295

296

297

298

299

300

289

Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,

which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance. The PKI domain configured on a device

is invisible to the CA and other devices, and each PKI domain has its own parameters.

A PKI domain is defined by these parameters:

• Trusted CA—An entity requests a certificate from a trusted CA.

• Entity—A certificate applicant uses an entity to provide its identity information to a CA.

• RA—Generally, an independent RA is in charge of certificate request management. It receives the

registration request from an entity, examines its qualification, and determines whether to ask the CA

to sign a digital certificate. The RA only examines the application qualification of an entity. It does

not issue any certificate. Sometimes, the registration management function is provided by the CA,

in which case no independent RA is required. HP recommends you to deploy an independent RA.

• URL of the registration server—An entity sends a certificate request to the registration server

through SCEP, a dedicated protocol for an entity to communicate with a CA.

• Polling interval and count—After an applicant makes a certificate request, the CA might need a

long period of time if it verifies the certificate request manually. During this period, the applicant

needs to query the status of the request periodically to get the certificate as soon as possible after

the certificate is signed. You can configure the polling interval and count to query the request status.

• IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs.

If this is the case, you need to configure the IP address of the LDAP server.

• Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity

needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate

content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not

match the one configured for the PKI domain, the entity will reject the root certificate.

To configure a PKI domain:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a PKI domain and

enter its view.

pki domain domain-name No PKI domain exists by default.

3. Specify the trusted CA.

ca identifier name

No trusted CA is specified by

default.

The CA name is required only

when you retrieve a CA certificate.

It is not used for local certificate

request.

4. Specify the entity for

certificate request.

certificate request entity

entity-name

No entity is specified by default.

The specified entity must exist.

5. Specify the authority for

certificate request.

certificate request from { ca | ra }

No authority is specified by

default.

6. Configure the URL of the

server for certificate request.

certificate request url url-string

No URL is configured by default.

The URL does not support domain

name resolution.