Operation Manual – PKI
H3C S5500-EI Series Ethernet Switches
To do...
Configure the polling
interval and
maximum number of
attempts for
querying the
certificate request
status
Specify the LDAP
server
Configure the
fingerprint for root
certificate validation
Note:
Currently, up to two PKI domains can be created on a device.
The CA name is required only when you retrieve a CA certificate. It is not used when
in local certificate request.
1.5 Submitting a PKI Certificate Request
When requesting a certificate, an entity introduces itself to the CA by providing its
identity information and public key, which will be the major components of the certificate
that the CA may issue to the entity. A certificate request can be submitted to a CA in two
ways: online and offline. In offline mode, a certificate request is submitted to a CA by an
"out-of-band" means such as phone, disk, or e-mail.
Online certificate request falls into two categories: manual mode and auto mode.
1.5.1 Submitting a Certificate Request in Auto Mode
In auto mode, an entity automatically requests a certificate through the SCEP protocol
when it has no local certificate or the present certificate is about to expire.
Follow these steps to configure an entity to submit a certificate request in auto mode:
Enter system view
Enter PKI domain view
Use the command...
certificate request
polling { count count |
interval minutes }
ldap-server ip ip-address
[ port port-number ]
[ version
version-number ]
root-certificate
fingerprint { md5 | sha1 }
string
To do...
system-view
pki domain domain-name
Optional
The polling is executed for up to
50 times at the interval of 20
minutes by default.
Optional
No LDP server is specified by
default.
Optional
No fingerprint is configured by
default.
Use the command...
1-8
Chapter 1 PKI Configuration
Remarks
Remarks
—
—