Configuration procedure – H3C Technologies H3C S12500 Series Switches User Manual
Page 55
43
Configuration procedure
In this example, the CA runs Windows Server and has the SCEP add-on installed. The switch, host, and
CA can reach one another.
1.
Configure the switch (HTTPS server):
# Configure a PKI entity, and set the common name to http-server1 and the FQDN to
ssl.security.com.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name http-server1
[Sysname-pki-entity-en] fqdn ssl.security.com
[Sysname-pki-entity-en] quit
# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate
request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and
the entity for certificate request as en.
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier new-ca
[Sysname-pki-domain-1] certificate request url
http://10.1.2.2/certsrv/mscep/mscep.dll
[Sysname-pki-domain-1] certificate request from ra
[Sysname-pki-domain-1] certificate request entity en
[Sysname-pki-domain-1] quit
# Create RSA local key pairs.
[Sysname] public-key loc al create rsa
# Retrieve the CA certificate.
[Sysname] pki retrieval-certificate ca domain 1
# Request a local certificate for the switch through SCEP.
[Sysname] pki request-certificate domain 1
# Create SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable
certificate-based SSL client authentication.
[Sysname] ssl server-policy myssl
[Sysname-ssl-server-policy-myssl] pki-domain 1
Sysname-ssl-server-policy-myssl] client-verify enable
[Sysname-ssl-server-policy-myssl] quit
# Create certificate attribute group mygroup1 and configure a certificate attribute rule for it,
specifying that the distinguished name in the subject name includes the string of new-ca.
[Sysname] pki certificate attribute-group mygroup1
[Sysname-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Sysname-pki-cert-attribute-group-mygroup1] quit
# Create certificate attribute-based access control policy myacp and configure a certificate
attribute-based access control rule, specifying that a certificate is considered valid when it matches
an attribute rule in certificate attribute group myacp.
[Sysname] pki certificate access-control-policy myacp
[Sysname-pki-cert-acp-myacp] rule 1 permit mygroup1
[Sysname-pki-cert-acp-myacp] quit
# Associate the HTTPS service with SSL server policy myssl.