HP MSR Series Configuration Manual page 265
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Step
7.
(Optional.) Set the
SCEP polling interval
and maximum
number of polling
attempts.
8.
(Optional.) Specify the
LDAP server.
9.
Enter a fingerprint to
be matched against
the fingerprint of the
root CA certificate.
10. Specify the key pair
for certificate request.
11. (Optional.) Specify the
intended use for the
certificate.
Command
certificate request polling { count
count | interval minutes }
ldap-server host hostname [ port
port-number ] [ vpn-instance
vpn-instance-name ]
•
In non-FIPS mode:
root-certificate fingerprint { md5 |
sha1 } string
•
In FIPS mode:
root-certificate fingerprint sha1
string
•
Specify an RSA key pair:
public-key rsa { { encryption
name encryption-key-name
[ length key-length ] | signature
name signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
•
Specify an ECDSA key pair:
public-key ecdsa name key-name
[ secp192r1 | secp256r1 |
secp384r1 ]
•
Specify a DSA key pair:
public-key dsa name key-name
[ length key-length ]
usage { ike | ssl-client | ssl-server } *
250
Remarks
By default, the device polls the CA
server for the certificate request
status every 20 minutes. The
maximum number of polling
attempts is 50.
This task is required only when
the CRL repository is an LDAP
server and the URL of the CRL
repository does not contain the
host name of the LDAP server.
By default, no LDAP server is
specified.
Before a PKI entity can enroll with
a CA, it must authenticate the CA
by obtaining the self-signed
certificate of the CA and verifying
the fingerprint of the CA
certificate.
If a fingerprint is not entered in the
PKI domain, and if the CA
certificate is imported or obtained
through manual certificate
request, you must verify the
fingerprint that is displayed during
authentication of the CA
certificate.
If the CA certificate is obtained
through automatic certificate
request, the certificate will be
rejected if a fingerprint has not
been entered.
By default, no fingerprint is
specified.
By default, no key pair is
specified.
If the specified key pair does not
exist, the PKI entity automatically
creates the key pair before
submitting a certificate request.
For information about how to
generate DSA, ECDSA, and RSA
key pairs, see
"Managing public
keys."
By default, the certificate can be
used by all applications, including
IKE, SSL clients, and SSL server.
The extension options contained
in an issued certificate depend on
the CA policy, and they might be
different from those specified in
the PKI domain.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
