Configuration procedure – H3C Technologies H3C S5120 Series Switches User Manual

1-5

Figure 1-3 Network diagram for SSL server policy configuration

Configuration procedure

1) Configure the HTTPS server (Device)

# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as

ssl.security.com.

<Device> system-view

[Device] pki entity en

[Device-pki-entity-en] common-name http-server1

[Device-pki-entity-en] fqdn ssl.security.com

[Device-pki-entity-en] quit

# Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as

http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for

certificate request as en.

[Device] pki domain 1

[Device-pki-domain-1] ca identifier ca server

[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[Device-pki-domain-1] certificate request from ra

[Device-pki-domain-1] certificate request entity en

[Device-pki-domain-1] quit

# Create the local RSA key pairs.

[Device] public-key local create rsa

# Retrieve the CA certificate.

[Device] pki retrieval-certificate ca domain 1

# Request a local certificate for Device.

[Device] pki request-certificate domain 1

# Create an SSL server policy named myssl.

[Device] ssl server-policy myssl

# Specify the PKI domain for the SSL server policy as 1.

[Device-ssl-server-policy-myssl] pki-domain 1

# Enable client authentication.

[Device-ssl-server-policy-myssl] client-verify enable