H3C S5500-EI series Operation Manual page 1508

Operation Manual – PKI
H3C S5500-EI Series Ethernet Switches
II. Network diagram
Figure 1-2 Diagram for configuring a PKI entity to request a certificate from a CA
III. Configuration procedure
On the CA server, complete the following configurations:
1) Create a CA server named myca
In this example, you need to configure theses basic attributes on the CA server at first:
Nickname: Name of the trusted CA.
Subject DN: DN information of the CA, including the Common Name (CN),
Organization Unit (OU), Organization (O), and Country (C).
The other attributes may be left using the default values.
2) Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the
jurisdiction configuration page of the CA server. This includes selecting the proper
extension profiles, enabling the SCEP autovetting function, and adding the IP address
list for SCEP autovetting.
3) Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related
configurations. In this example, select the local CRL publishing mode of HTTP and set
the HTTP URL to http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the device is
synchronous to that of the CA, allowing the device to request certificates and retrieve
CRLs properly.
On the Switch, perform the following configurations:
1) Configure the entity DN
# Configure the entity name as aaa and the common name as Switch.
<Switch> system-view
[Switch] pki entity aaa
[Switch-pki-entity-aaa] common-name Switch
[Switch-pki-entity-aaa] quit
2) Configure the PKI domain
# Create PKI domain torsa and enter its view.
1-16
Chapter 1 PKI Configuration