Configuring A Pki Domain - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
To do...
Configure the FQDN for the entity
Configure the IP address for the
entity
Configure the locality for the entity
Configure the organization name
for the entity
Configure the unit name for the
entity
Configure the state or province for
the entity
NOTE:
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity
DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
Configuring a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,
which is referred to as a PKI domain. A PKI domain is only intended for convenient reference by
applications like IKE and SSL, and only has local significance. A PKI domain configured on a switch is
invisible to the CA and other switches, and each PKI domain has its own parameters.
A PKI domain defines these parameters:
Trusted CA—An entity requests a certificate from a trusted CA.
•
Entity—A certificate applicant uses an entity to provide its identity information to a CA.
•
RA—Generally, an independent RA is in charge of certificate request management. It receives the
•
registration request from an entity, checks its qualification, and determines whether to ask the CA to
sign a digital certificate. The RA only checks the application qualification of an entity; it does not
issue any certificate. Sometimes, the registration management function is provided by the CA, in
which case no independent RA is required. It is a good practice to deploy an independent RA.
URL of the registration server—An entity sends a certificate request to the registration server through
•
Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate
with a CA. This URL is also called the certificate request URL.
Polling interval and count—After an applicant makes a certificate request, the CA might need a
•
long period of time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed. You can configure the polling interval and count to query the request status.
•
IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If
this is the case, you must configure the IP address of the LDAP server.
Use the command...
fqdn name-str
ip ip-address
locality locality-name
organization org-name
organization-unit org-unit-name
state state-name
244
Remarks
Optional
No FQDN is specified by default.
Optional
No IP address is specified by
default.
Optional
No locality is specified by default.
Optional
No organization is specified by
default.
Optional
No unit is specified by default.
Optional
No state or province is specified by
default.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
