Certificate Domain - HP 5920 Command Reference Manual

certificate domain

Use certificate domain to specify a PKI domain for IKE signatures.
Use undo certificate domain to remove the specified PKI domain configuration.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domain is specified for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If no
PKI domain is specified, all PKI domains configured on the device are used for enrollment, authentication,
certificate issuing, validation, and signature.
Usage guidelines
You can specify up to 6 PKI domains for an IKE profile.
IKE can use the PKI domain to automatically obtain the CA certificate, and then request a local certificate.
If the CA certificate exists, the IKE requests a local certificate.
On the initiator: If the IKE profile has a PKI domain, the initiator automatically obtains the CA
•
certificate. If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
On the responder: During the IKE negotiation phase 1,
•
If main mode is used, the responder does not automatically obtain the CA certificate. You must
manually request the CA certificate.
If aggressive mode is used, the responder does not automatically obtain the CA certificate
unless a matching IKE profile is found and an IKE domain is specified in the profile.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
•
• pki domain
368