HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

291

292

293

294

295

296

297

298

299

300

290

Ste

Command

Remarks

7. Configure the polling interval

and attempt limit for querying

the certificate request status.

certificate request polling { count

count | interval minutes }

Optional.

The polling is executed for up to 50

times at the interval of 20 minutes

by default.

8. Specify the LDAP server.

ldap-server ip ip-address [ port

port-number ] [ version

version-number ]

Optional.

No LDP server is specified by

default.

9. Configure the fingerprint for

root certificate verification.

root-certificate fingerprint { md5 |

sha1 } string

Required when the certificate

request mode is auto and optional

when the certificate request mode

is manual. In the latter case, if you

do not configure this command, the

fingerprint of the root certificate

must be verified manually.

No fingerprint is configured by

default.

The following matrix shows the maximum number of PKI domains that can be created on different

firewalls and firewall modules:

Hardware U

er limit

F1000-A-EI/F1000-S-EI 32

F1000-E 32

F5000 32

F5000-S/F5000-C 32

VPN firewall modules 32

20-Gbps VPN firewall modules 2

Requesting a PKI certificate

When requesting a certificate, an entity introduces itself to the CA by providing its identity information

and public key, which will be the major components of the certificate. A certificate request can be

submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to

a CA by an "out-of-band" means such as phone, disk, or email.

Online certificate request falls into manual mode and auto mode.

Requesting a certificate in auto mode

In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate

for an application working with PKI. For example, when PKI certificate authentication is used, if no local

certificate is available during IKE negotiation, the entity automatically requests one, and saves the local

certificate after retrieving it from the CA. If the PKI domain has no CA certificate before the entity submits

the certificate request, the entity automatically retrieves the CA certificate first.

If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request

to the CA automatically, and the services using the certificate might be interrupted.