H3C S5120-SI Series Configuration Manual page 703

device requires the users log in to the Web page through HTTPS and authenticates the users using SSL,
and ensures that the transmitted data will not be spoofed and tampered.
To meet the requirements, perform the following:
Configure Device as the HTTPS server and apply a certificate for Device.
Apply a certificate for the HTTPS client Host for Device to authenticate it.
The name of the CA (Certificate Authority) that issues certificate to Device and Host is new-ca.
In this configuration example, Windows Server serves as CA and you need to install Simple
Certificate Enrollment Protocol (SCEP) component.
Before the following configurations, ensure that there is an available route between Device, Host
and CA.
Figure 2-1 Network diagram for HTTPS configuration
Configuration procedure
1) Configure the HTTPS server Device:
# Configure PKI entity en, and specify its common name as http-server1, and FQDN as
ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Configure a PKI domain 1, specify the trusted CA as new-ca, the URL of the server for certificate
request as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and
the entity name as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
2-5