HP FlexNetwork NJ5000 User Manual page 344

Item Description
information.
Available PKI entities are those that have been configured.
Select the authority for certificate request.
•
Institution
•
RA is recommended.
Enter the URL of the RA.
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
Requesting URL
In offline mode, this item is optional. In other modes, this item is required.
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number and version of the LDAP server.
Port
In a PKI system, the storage of certificates and CRLs is a crucial problem, which is
usually addressed by deploying an LDAP server..
Version
Request Mode Select the online certificate request mode, which can be auto or manual.
Password
Set a password for certificate revocation and re-enter it for confirmation.
The two boxes are available only when the certificate request mode is set to Auto..
Confirm Password
Fingerprint Hash Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of
the root certificate, namely, the hash value of the root certificate content. This hash
value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.
•
•
Fingerprint
•
The fingerprint must be configured if you specify the certificate request mode as Auto.
If you specify the certificate request mode as Manual, you can leave the fingerprint
settings null. If you do not configure the fingerprint, the entity will not verify the CA root
certificate and you yourself must make sure the CA server is trusted.
Polling Count Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs
Polling Interval
to query the status of the request periodically to get the certificate as soon as possible
after the certificate is signed..
Enable CRL
Select this box to specify that CRL checking is required during certificate verification.
Checking
Enter the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
CRL Update
Period This item is available after you click the Enable CRL Checking box.
By default, the CRL update period depends on the next update field in the CRL file.
CRL URL
Enter the URL of the CRL distribution point. The URL can be an IP address or a domain
CA—Indicates that the entity requests a certificate from a CA.
RA—Indicates that the entity requests a certificate from an RA.
IMPORTANT:
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The
fingerprint must a string of 32 characters in hexadecimal notation.
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The
fingerprint must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity
will not verify the CA root certificate, and you yourself must make sure the CA
server is trusted.
IMPORTANT:
332