3Com 4500G Family Configuration Manual page 710

any certificate. Sometimes, the registration management function is provided by the CA, in which case
no independent RA is required. You are recommended to deploy an independent RA.
URL of the registration server
An entity sends a certificate request to the registration server through Simple Certification Enrollment
Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA.
Polling interval and count
After an applicant makes a certificate request, the CA may need a long period of time if it verifies the
certificate request manually. During this period, the applicant needs to query the status of the request
periodically to get the certificate as soon as possible after the certificate is signed. You can configure the
polling interval and count to query the request status.
IP address of the LDAP server
An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need to
configure the IP address of the LDAP server.
Fingerprint for root certificate verification
Upon receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root
certificate, namely, the hash value of the root certificate content. This hash value is unique to every
certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain,
the entity will reject the root certificate.
Follow these steps to configure a PKI domain:
To do...
Enter system view
Create a PKI domain and enter its
view
Specify the trusted CA
Specify the entity for certificate
request
Specify the authority for certificate
request
Configure the URL of the server for
certificate request
Configure the polling interval and
attempt limit for querying the
certificate request status
Specify the LDAP server
Configure the fingerprint for root
certificate verification
Use the command...
system-view
pki domain domain-name
ca identifier name
certificate request entity
entity-name
certificate request from { ca | ra }
certificate request url url-string
certificate request polling
{ count count | interval minutes }
ldap-server ip ip-address [ port
port-number ] [ version
version-number ]
root-certificate fingerprint { md5
| sha1 } string
1-6
Remarks
—
Required
No PKI domain exists by default.
Required
No trusted CA is specified by
default.
Required
No entity is specified by default.
The specified entity must exist.
Required
No authority is specified by default.
Required
No URL is configured by default.
Optional
The polling is executed for up to 50
times at the interval of 20 minutes
by default.
Optional
No LDP server is specified by
default.
Required when the certificate
request mode is auto and optional
when the certificate request mode
is manual. In the latter case, if you
do not configure this command, the
fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.