HPE FlexNetwork 5510 HI Series Security Configuration Manual page 244

Step
7. (Optional.) Set the
SCEP polling interval
and maximum
number of polling
attempts.
8. (Optional.) Specify the
LDAP server.
9. Enter a fingerprint to
be matched against
the fingerprint of the
root CA certificate.
10. Specify the key pair
for certificate request.
11. (Optional.) Specify the
intended use for the
certificate.
Command
certificate request polling { count
count | interval minutes }
ldap-server host hostname [ port
port-number ] [
vpn-instance-name ]
•
In non-FIPS
root-certificate fingerprint { md5 |
sha1 } string
•
In FIPS
root-certificate fingerprint sha1
string
•
Specify an RSA
public-key rsa { { encryption
name encryption-key-name
[ length key-length ] | signature
name signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
•
Specify an ECDSA
public-key ecdsa name key-name
[ secp192r1 |
secp384r1 | secp521r1 ]
•
Specify a DSA
public-key dsa name key-name
[ length key-length ]
usage { ike | ssl-client | ssl-server } *
231
Remarks
By default, the switch polls the CA
server for the certificate request
status every 20 minutes. The
maximum
attempts is 50.
This task is required only when
the CRL repository is an LDAP
server and the URL of the CRL
repository does not contain the
vpn-instance
host name of the LDAP server.
By default, no LDAP server is
specified.
Before a PKI entity can enroll with
a CA, it must authenticate the CA
by obtaining
certificate of the CA and verifying
the fingerprint
certificate.
If a fingerprint is not entered in the
PKI domain, and if the CA
mode:
certificate is imported or obtained
through
request, you must verify the
mode:
fingerprint that is displayed during
authentication
certificate.
If the CA certificate is obtained
through
request, the certificate will be
rejected if a fingerprint has not
been entered.
By default,
specified.
key pair:
The public-key ecdsa command
is available in Release 1121 and
later.
By default,
specified.
If the specified key pair does not
key pair:
exist, the PKI entity automatically
creates
secp256r1 |
submitting a certificate request.
For information about creating key
key pair:
pairs, see
By default, the certificate can be
used by all applications, including
IKE, SSL clients, and SSL server.
The extension options contained
in an issued certificate depend on
the CA policy, and they might be
different from those specified in
the PKI domain.
number of polling
the self-signed
of the CA
manual certificate
of the CA
automatic certificate
no fingerprint is
no key pair is
the key pair before
"Managing public keys."