Requesting A Certificate - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
Step
9.
Specify the fingerprint
for root certificate
verification.
10.
Specify the key pair for
certificate request.
11.
(Optional.) Specify the
extended application
of the certificate.
12.
Specify the source IP
address for the PKI
protocol packets.
Requesting a certificate
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or
•
email. You can use this mode as required or if you fail to request a certificate in online mode.
Command
•
In non-FIPS mode:
root-certificate fingerprint { md5 |
sha1 } string
•
In FIPS mode:
root-certificate fingerprint sha1 string
•
Specify an RSA key pair:
public-key rsa { { encryption name
encryption-key-name [ length
key-length ] | signature name
signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
•
Specify a DSA key pair:
public-key dsa name key-name
[ length key-length ]
usage { ike | ssl-client | ssl-server } *
•
Specify the source IPv4 address for the
PKI protocol packets:
source ip { ip-address | interface
{interface-type interface-number }
•
Specify the source IPv6 address for the
PKI protocol packets:
source ipv6 { ipv6-address | interface
{ interface-type interface-number }}
105
Remarks
Optional if you manually request
local certificates.
If you want to verify the fingerprint
manually, do not configure this
command.
By default, no fingerprint is
specified.
Use either command.
By default, no key pair is specified.
You can specify a non-existing key
pair, which is generated during the
certificate application.
For information about how to
generate DSA and RSA key pairs,
see "Managing public keys."
By default, the certificate is for all
extended applications, including
IKE, SSL clients, and SSL server.
The extension of a certificate
depends on the certificate user,
and it is not limited by PKI.
The extension options contained in
an issued certificate depend on the
CA policy, and they might be
different from those specified in the
PKI domain.
Required if the CA policy defines
the CA server to accept requests
from a specific IP address or
subnet.
Use one of the commands.
By default, the source IP address is
the outgoing interface IP address of
the route to the CA.
Advertisement
Table of Contents
Troubleshooting
