HPE FlexNetwork 10500 Series Security Configuration Manual page 314
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Step
3.
Specify the trusted
CA.
4.
Specify the PKI entity
name.
5.
Specify the type of
certificate request
reception authority.
6.
Specify the certificate
request URL.
7.
(Optional.) Set the
SCEP polling interval
and maximum
number of polling
attempts.
8.
(Optional.) Specify the
LDAP server.
9.
Configure the
fingerprint for verifying
the root CA certificate.
10. Specify the key pair
for certificate request.
Command
ca identifier name
certificate request entity entity-name
certificate request from { ca | ra }
certificate request url url-string
[ vpn-instance vpn-instance-name ]
certificate request polling { count
count | interval interval }
ldap-server host hostname [ port
port-number ] [ vpn-instance
vpn-instance-name ]
•
In non-FIPS mode:
root-certificate fingerprint { md5 |
sha1 } string
•
In FIPS mode:
root-certificate fingerprint sha1
string
•
Specify an RSA key pair:
public-key rsa { { encryption
name encryption-key-name
[ length key-length ] | signature
name signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
•
Specify an ECDSA key pair:
public-key ecdsa name key-name
[ secp192r1 | secp256r1 |
secp384r1 | secp521r1 ]
•
Specify a DSA key pair:
public-key dsa name key-name
[ length key-length ]
297
Remarks
By default, no trusted CA is
specified.
To obtain a CA certificate, the
trusted CA name must be
provided. The trusted CA name
uniquely identifies the CA to be
used if multiple CAs exist on the
same CA server. The CA server's
URL is specified by using the
certificate request url command.
By default, no entity is specified.
By default, no authority type is
specified.
By default, the certificate request
URL is not specified.
By default, the device polls the CA
server for the certificate request
status every 20 minutes. The
maximum number of polling
attempts is 50.
This task is required only when
the CRL repository is an LDAP
server and the URL of the CRL
repository does not contain the
host name of the LDAP server.
By default, no LDAP server is
specified.
This task is required if the auto
certificate request mode is
configured in the PKI domain.
If the manual certificate request
mode is configured, you can skip
this task and manually verify the
fingerprint of the CA certificate.
By default, no fingerprint is
configured.
By default, no key pair is
specified.
If the specified key pair does not
exist, the PKI entity automatically
creates the key pair before
submitting a certificate request.
For information about how to
generate DSA, ECDSA, and RSA
key pairs, see
"Managing public
keys."
Advertisement
Table of Contents
Troubleshooting
