HPE Moonshot 45Gc Security Configuration Manual page 7

Configuration procedure ························································································································· 213
Verifying the configuration ······················································································································ 214
Managing public keys ················································································· 216
Overview ························································································································································ 216
FIPS compliance ············································································································································ 216
Creating a local key pair ································································································································ 216
Distributing a local host public key ················································································································· 218
Exporting a host public key ···················································································································· 218
Displaying a host public key ··················································································································· 218
Destroying a local key pair ····························································································································· 219
Configuring a peer host public key ················································································································· 219
Importing a peer host public key from a public key file ·········································································· 219
Entering a peer host public key ·············································································································· 219
Displaying and maintaining public keys ········································································································· 220
Examples of public key management ············································································································ 220
Example for entering a peer host public key ·························································································· 220
Example for importing a public key from a public key file ······································································ 222
Configuring PKI ··························································································· 225
Overview ························································································································································ 225
PKI terminology ······································································································································ 225
PKI architecture ······································································································································ 226
PKI operation ········································································································································· 226
PKI applications ····································································································································· 227
Support for MPLS L3VPN ······················································································································ 227
FIPS compliance ············································································································································ 228
PKI configuration task list ······························································································································· 228
Configuring a PKI entity ································································································································· 228
Configuring a PKI domain ······························································································································ 229
Requesting a certificate ································································································································· 231
Configuration guidelines ························································································································· 231
Configuring automatic certificate request ······························································································· 232
Manually requesting a certificate ············································································································ 232
Aborting a certificate request ························································································································· 233
Obtaining certificates ····································································································································· 233
Configuration prerequisites ···················································································································· 233
Configuration guidelines ························································································································· 233
Configuration procedure ························································································································· 234
Verifying PKI certificates ································································································································ 234
Verifying certificates with CRL checking ································································································ 234
Verifying certificates without CRL checking ··························································································· 235
Specifying the storage path for the certificates and CRLs ············································································· 235
Exporting certificates ······································································································································ 236
Removing a certificate ··································································································································· 236
Configuring a certificate-based access control policy ···················································································· 237
Displaying and maintaining PKI ····················································································································· 238
PKI configuration examples ··························································································································· 238
Requesting a certificate from an RSA Keon CA server ·········································································· 238
Requesting a certificate from a Windows Server 2003 CA server ························································· 241
Requesting a certificate from an OpenCA server ··················································································· 244
Certificate import and export configuration example ·············································································· 247
Troubleshooting PKI configuration ················································································································· 252
Failed to obtain the CA certificate ·········································································································· 253
Failed to obtain local certificates ············································································································ 253
Failed to request local certificates ·········································································································· 254
Failed to obtain CRLs ····························································································································· 254
Failed to import the CA certificate ·········································································································· 255
Failed to import a local certificate ··········································································································· 256
Failed to export certificates ···················································································································· 256
Failed to set the storage path ················································································································· 257
v