Manualshelf

HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
311312313314315316317318319320
305
[Firewall-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn
apple
[Firewall-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[Firewall-pki-cert-attribute-group-mygroup2] quit
3. Create the certificate attribute-based access control policy of myacp and add two access control
rules:
[Firewall] pki certificate access-control-policy myacp
[Firewall-pki-cert-acp-myacp] rule 1 deny mygroup1
[Firewall-pki-cert-acp-myacp] rule 2 permit mygroup2
[Firewall-pki-cert-acp-myacp] quit
4. Apply the SSL server policy and certificate attribute-based access control policy to HTTPS service
and enable HTTPS service:
# Apply SSL server policy myssl to HTTPS service.
[Firewall] ip https ssl-server-policy myssl
# Apply the certificate attribute-based access control policy of myacp to HTTPS service.
[Firewall] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Firewall] ip https enable
Troubleshooting PKI
Failed to retrieve a CA certificate
Symptom
Failed to retrieve a CA certificate.
Analysis
Possible reasons include:
The network connection is not proper. For example, the network cable might be damaged or loose.
No trusted CA is specified.
The URL of the registration server for certificate request is not correct or not configured.
No authority is specified for certificate request.
The system clock of the device is not synchronized with that of the CA.
Solution
1. Make sure the network connection is physically proper.
2. Check that the required commands are configured properly.
3. Use the ping command to verify that the RA server is reachable.
4. Specify the authority for certificate request.
5. Synchronize the system clock of the device with that of the CA.