# Retrieve the CA certificate from the certificate issuing server.
[RouterA] pki retrieval-certificate ca domain voice
# Request a local certificate from the CA.
[RouterA] pki request-certificate domain voice
# Create an SSL server policy named server and configure the policy to use PKI domain voice.
[RouterA] ssl server-policy server
[RouterA-ssl-server-policy-server] pki-domain voice
# Create an SSL client policy named client and configure the policy to use PKI domain voice.
[RouterA] ssl client-policy client
[RouterA-ssl-client-policy-server] pki-domain voice
# Reference the created SSL server and client policies for SIP, and then specify TLS as the
transport layer protocol for both outgoing and incoming SIP calls.
[RouterA] voice-setup
[RouterA-voice] sip
[RouterA-voice-sip] crypto ssl-server-policy server
[RouterA-voice-sip] crypto ssl-client-policy client
[RouterA-voice-sip] listen transport tls
[RouterA-voice-sip] transport tls
[RouterA-voice-sip] quit
# Configure the voice entities.
[RouterA-voice] dial-program
[RouterA-voice-dial] entity 2222 voip
[RouterA-voice-dial-entity2222] address sip ip 192.168.2.2 port 5061
[RouterA-voice-dial-entity2222] match-template 2222
[RouterA-voice-dial-entity2222] quit
[RouterA-voice-dial] entity 1111 pots
[RouterA-voice-dial-entity1111] line 1/0
[RouterA-voice-dial-entity1111] match-template 1111
[RouterA-voice-dial-entity1111] quit
[RouterA-voice-dial] quit
2.
Configure Router B:
# Configure the IP address of the Ethernet interface.
<RouterB> system-view
[RouterB] interface ethernet 2/1
[RouterB-Ethernet2/1] ip address 192.168.2.2 255.255.255.0
[RouterB-Ethernet2/1] quit
# Create a PKI entity aaa, enter its view, and then configure the common name of the entity as
RouterB.
[RouterB] pki entity aaa
[RouterB-pki-entity-aaa] common-name RouterB
[RouterB-pki-entity-aaa] quit
# Create a PKI domain voice, enter its view, and then specify the trusted CA as voice.
[RouterB] pki domain voice
[RouterB-pki-domain-voice] ca identifier voice
# Specify the URL of the registrar for certificate request. The URL is in the format of
http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal
character string generated on the CA server. Then, specify the authority for certificate request
as CA, and specify the entity for certificate request as aaa.
170