HPE FlexNetwork 5510 HI Series Security Configuration Manual page 7

Password control configuration example ····················································································· 213
Network requirements ······································································································ 213
Configuration procedure ··································································································· 214
Verifying the configuration ································································································· 215
Managing public keys ···································································· 217
Overview ······························································································································ 217
FIPS compliance···················································································································· 217
Creating a local key pair ·········································································································· 217
Distributing a local host public key ····························································································· 219
Exporting a host public key ································································································ 219
Displaying a host public key ······························································································· 219
Destroying a local key pair ······································································································· 220
Configuring a peer host public key ····························································································· 220
Importing a peer host public key from a public key file ····························································· 220
Entering a peer host public key ·························································································· 221
Displaying and maintaining public keys ······················································································· 221
Examples of public key management ························································································· 221
Example for entering a peer host public key ·········································································· 221
Example for importing a public key from a public key file ·························································· 223
Configuring PKI ··········································································· 226
Overview ······························································································································ 226
PKI terminology ·············································································································· 226
PKI architecture ·············································································································· 227
PKI operation ················································································································· 227
PKI applications ·············································································································· 228
Support for MPLS L3VPN ································································································· 228
FIPS compliance···················································································································· 229
PKI configuration task list ········································································································· 229
Configuring a PKI entity ··········································································································· 229
Configuring a PKI domain ········································································································ 230
Requesting a certificate ··········································································································· 232
Configuration guidelines ··································································································· 232
Configuring automatic certificate request ·············································································· 233
Manually requesting a certificate ························································································· 233
Aborting a certificate request ···································································································· 234
Obtaining certificates ·············································································································· 234
Configuration prerequisites ································································································ 234
Configuration guidelines ··································································································· 234
Configuration procedure ··································································································· 235
Verifying PKI certificates ·········································································································· 235
Verifying certificates with CRL checking ··············································································· 235
Verifying certificates without CRL checking ··········································································· 236
Specifying the storage path for the certificates and CRLs ······························································· 236
Exporting certificates ·············································································································· 237
Removing a certificate ············································································································· 237
Configuring a certificate-based access control policy ····································································· 238
Displaying and maintaining PKI ································································································· 239
PKI configuration examples ······································································································ 239
Requesting a certificate from an RSA Keon CA server ···························································· 239
Requesting a certificate from a Windows Server 2003 CA server ··············································· 242
Requesting a certificate from an OpenCA server ···································································· 245
Certificate import and export configuration example ································································ 248
Troubleshooting PKI configuration ····························································································· 253
Failed to obtain the CA certificate ······················································································· 254
Failed to obtain local certificates ························································································· 254
Failed to request local certificates ······················································································· 255
Failed to obtain CRLs ······································································································· 255
Failed to import the CA certificate ······················································································· 256
Failed to import a local certificate ························································································ 257
Failed to export certificates ································································································ 257
v