Entering a peer public key ································································································································· 113

Displaying and maintaining public keys ··················································································································· 113

Example for inputting a peer public key ··················································································································· 113

Example for importing a public key from a public key file ····················································································· 115

Configuring PKI ······················································································································································· 118

Overview ······································································································································································· 118

PKI terminology ···················································································································································· 118

PKI architecture ···················································································································································· 119

PKI operation ······················································································································································· 119

PKI applications ··················································································································································· 120

PKI across VPNs ·················································································································································· 120

PKI configuration task list ············································································································································ 120

Configuring a PKI entity ·············································································································································· 121

Configuring a PKI domain ··········································································································································· 122

Requesting a certificate ··············································································································································· 124

Configuring automatic certificate request ········································································································· 125

Manually requesting a certificate ······················································································································ 125

Aborting a certificate request ····································································································································· 126

Obtaining certificates ·················································································································································· 127

Configuration prerequisites ································································································································ 127

Configuration guidelines ···································································································································· 127

Configuration procedure ···································································································································· 127

Verifying PKI certificates ·············································································································································· 128

Verifying certificates with CRL checking ··········································································································· 128

Verifying certificates without CRL checking ······································································································ 129

Specifying the storage path for the certificates and CRLs ······················································································· 129

Exporting certificates ··················································································································································· 129

Removing a certificate ················································································································································· 130

Configuring a certificate access control policy ········································································································· 131

Displaying and maintaining PKI ································································································································· 132

PKI configuration examples ········································································································································· 132

Certificate request from an RSA Keon CA server ···························································································· 132

Certificate request from a Windows 2003 CA server ···················································································· 135

Certificate request from an OpenCA server ····································································································· 138

Certificate import and export configuration example ····················································································· 141

Troubleshooting PKI configuration ······························································································································ 146

Failed to obtain the CA certificate ····················································································································· 147

Failed to obtain local certificates ······················································································································· 147

Failed to request local certificates ····················································································································· 148

Failed to obtain CRLs ·········································································································································· 149

Failed to import the CA certificate ····················································································································· 149

Failed to import a local certificate ····················································································································· 150

Failed to export certificates ································································································································ 150

Failed to set the storage path ····························································································································· 151

Configuring SSH ····················································································································································· 152

How SSH works ··················································································································································· 152

SSH authentication methods ······························································································································· 153

Configuring the device as an SSH server ·················································································································· 154

SSH server configuration task list ······················································································································ 154

Generating local DSA or RSA key pairs ··········································································································· 154

Enabling the SSH server function ······················································································································· 155