HP 5120 SI Series Security Configuration Manual page 237

applications like IKE and SSL, and has only local significance. The PKI domain configured on a device
is invisible to the CA and other devices, and each PKI domain has its own parameters.
A PKI domain is defined by these parameters:
Trusted CA—An entity requests a certificate from a trusted CA.
•
Entity—A certificate applicant uses an entity to provide its identity information to a CA.
•
RA—Generally, an independent RA is in charge of certificate request management. It receives the
•
registration request from an entity, checks its qualification, and determines whether to ask the CA
to sign a digital certificate. The RA only checks the application qualification of an entity; it does not
issue any certificate. Sometimes, the registration management function is provided by the CA, in
which case no independent RA is required. You should deploy an independent RA.
URL of the registration server—An entity sends a certificate request to the registration server through
•
Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate
with a CA.
• Polling interval and count—After an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed. You can configure the polling interval and count to query the request status.
IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If
•
this is the case, you need to configure the IP address of the LDAP server.
Fingerprint for root certificate verification—Upon receiving the root certificate of the CA, an entity
•
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate
content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not
match the one configured for the PKI domain, the entity will reject the root certificate.
Follow these steps to configure a PKI domain:
To do...
Enter system view
Create a PKI domain and enter its
view
Specify the trusted CA
Specify the entity for certificate
request
Specify the authority for certificate
request
Configure the URL of the server for
certificate request
Configure the polling interval and
attempt limit for querying the
certificate request status
Use the command...
system-view
pki domain domain-name
ca identifier name
certificate request entity
entity-name
certificate request from { ca | ra }
certificate request url url-string
certificate request polling { count
count | interval minutes }
225
Remarks
—
Required
No PKI domain exists by default.
Required
No trusted CA is specified by
default.
Required
No entity is specified by default.
The specified entity must exist.
Required
No authority is specified by
default.
Required
No URL is configured by default.
Optional
The polling is executed for up to 50
times at the interval of 20 minutes
by default.