FIPS compliance ··························································································································································· 128

PKI configuration task list ············································································································································ 128

Configuring a PKI entity ·············································································································································· 128

Configuring a PKI domain ··········································································································································· 129

Requesting a certificate ··············································································································································· 131

Configuring automatic certificate request ········································································································· 132

Manually requesting a certificate ······················································································································ 133

Aborting a certificate request ····································································································································· 134

Obtaining certificates ·················································································································································· 134

Configuration prerequisites ································································································································ 134

Configuration guidelines ···································································································································· 135

Configuration procedure ···································································································································· 135

Verifying PKI certificates ·············································································································································· 135

Verifying certificates with CRL checking ··········································································································· 135

Verifying certificates without CRL checking ······································································································ 136

Specifying the storage path for the certificates and CRLs ······················································································· 136

Exporting certificates ··················································································································································· 137

Removing a certificate ················································································································································· 138

Configuring a certificate access control policy ········································································································· 138

Displaying and maintaining PKI ································································································································· 139

PKI configuration examples ········································································································································· 139

Certificate request from an RSA Keon CA server ···························································································· 140

Certificate request from a Windows 2003 CA server ···················································································· 142

Certificate request from an OpenCA server ····································································································· 146

Certificate import and export configuration example ····················································································· 149

Troubleshooting PKI configuration ······························································································································ 155

Failed to obtain the CA certificate ····················································································································· 155

Failed to obtain local certificates ······················································································································· 155

Failed to request local certificates ····················································································································· 156

Failed to obtain CRLs ·········································································································································· 157

Failed to import the CA certificate ····················································································································· 157

Failed to import a local certificate ····················································································································· 158

Failed to export certificates ································································································································ 158

Failed to set the storage path ····························································································································· 159

Configuring SSH ····················································································································································· 160

Overview ······································································································································································· 160

How SSH works ··················································································································································· 160

SSH authentication methods ······························································································································· 161

Configuring the device as an SSH server ·················································································································· 162

SSH server configuration task list ······················································································································ 162

Generating local DSA or RSA key pairs ··········································································································· 162

Enabling the SSH server function ······················································································································· 163

Enabling the SFTP server function ······················································································································ 164

Configuring the user interfaces for Stelnet clients ···························································································· 164

Configuring a client's host public key ··············································································································· 164

Configuring an SSH user ···································································································································· 165

Setting the SSH management parameters ········································································································ 167

Configuring the device as an Stelnet client ··············································································································· 168

Stelnet client configuration task list ···················································································································· 168

Specifying a source IP address or source interface for the Stelnet client ······················································ 168

Establishing a connection to an Stelnet server ································································································· 168

Configuring the device as an SFTP client ·················································································································· 171

SFTP client configuration task list ······················································································································· 171