HP 5120 SI Series Security Configuration Manual page 244

NOTE:
The CA server runs RSA Keon in this configuration example.
Network requirements
The device submits a local certificate request to the CA server.
•
• The device acquires the CRLs for certificate verification.
Figure 77 Request a certificate from a CA running RSA Keon
Configuration procedure
1. Configure the CA server:
# Create a CA server named myca.
In this example, you must first configure these basic attributes on the CA server:
Nickname—Name of the trusted CA.
Subject DN—DN information of the CA, including the Common Name (CN), Organization
Unit (OU), Organization (O), and Country (C).
Use the default values of other attributes.
# Configure extended attributes.
After configuring the basic attributes, you need to perform configuration on the jurisdiction
configuration page of the CA server. This includes selecting the proper extension profiles,
enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL distribution behavior.
After completing the configuration, you need to perform CRL related configurations. In this
example, select the local CRL distribution mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the configuration, make sure that the system clock of the device is synchronous to that of the
CA, so that the device can request certificates and retrieve CRLs properly.
2. Configure the switch:
Configure the entity DN
# Configure the entity name as aaa and the common name as switch.
<Switch> system-view
[Switch] pki entity aaa
[Switch-pki-entity-aaa] common-name switch
[Switch-pki-entity-aaa] quit
Configure the PKI domain
# Create PKI domain torsa and enter its view.
[Switch] pki domain torsa
# Configure the name of the trusted CA as myca.
232