HP 5120 EI Switch Series Configuration Manual page 254

Configure Device to work as the HTTPS server and request a certificate for Device.

Request a certificate for Host so that Device can authenticate the identity of Host.

Configure a CA server to issue certificates to Device and Host.

NOTE:

In this example, Windows Server works as the CA server and the Simple Certificate Enrollment Protocol (SCEP)
plug-in is installed on the CA server.

Before performing the following configurations, ensure that the device, the host, and the CA server can reach
each other.
Figure 74 Network diagram for SSL server policy configuration
10.1.1.1/24
10.1.1.2/24
Host
Configuration procedure
Configure the HTTPS server (Device)
1.
# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as
ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as
http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for
certificate request as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier ca server
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create the local RSA key pairs.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate for Device.
[Device] pki request-certificate domain 1
Device
10.1.2.1/24
10.1.2.2/24
CA
244