H3C S5830V2 Security Configuration Manual page 144
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
After receiving a CA root certificate that does not exist locally, the PKI entity verifies the fingerprint of the
root certificate in the following cases:
For an obtained or imported CA root certificate, if its fingerprint does not match the one configured
•
for the PKI domain, the device rejects the root certificate, and the obtain or import operation fails.
If you do not specify the fingerprint for the PKI domain, the system asks you to verify the fingerprint
manually.
For an obtained CA root certificate in an automatic local certificate request process that an
•
application triggers, if its fingerprint does not match the one configured for the PKI domain, the
device rejects the root certificate, and the local certificate request fails. If you do not specify the
fingerprint for the PKI domain, the local certificate request fails.
To configure a PKI domain:
Step
1.
Enter system view.
2.
Create a PKI domain
and enter its view.
3.
Specify the trusted CA.
4.
Specify the entity for
certificate request.
5.
Specify the authority
for accepting
certificate requests.
6.
Specify the URL of the
registration server for
certificate request.
7.
(Optional.) Set the
polling interval and
maximum number of
attempts for querying
the certificate request
status.
8.
Specify the LDAP
server.
Command
system-view
pki domain domain-name
ca identifier name
certificate request entity entity-name
certificate request from { ca | ra }
certificate request url url-string
[ vpn-instance vpn-instance-name ]
certificate request polling { count count |
interval minutes }
ldap-server host hostname [ port
port-number ] [ vpn-instance
vpn-instance-name ]
130
Remarks
N/A
By default, no PKI domains exist.
By default, no trusted CA is
specified.
To obtain a CA certificate, the
trusted CA name must be provided.
The trusted CA name is in SCEP
messages, and the CA server does
not use this name unless the server
has two CAs configured with the
same registration server.
By default, no entity is specified.
By default, no authority is
specified.
By default, the URL of the
registration server is not specified.
Do not configure this command
when you request a certificate in
offline mode.
By default, the polling interval is 20
minutes, and the maximum number
of attempts is 50.
Required when the LDAP server
acts as the CRL repository, or the
URL of the CRL repository does not
contain the host name.
By default, no LDAP server is
specified.
Advertisement
Table of Contents
Troubleshooting
