H3C Technologies H3C MSR 50 User Manual
Page 491
106
Item Description
Entity Name
Select the local PKI entity.
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
Institution
Select the authority for certificate request.
•
CA—Entity requests a certificate from a CA.
•
RA—Entity requests a certificate from an RA.
Generally, an independent RA is in charge of certificate request management. It receives
the registration request from an entity, examines its qualification, and determines
whether to ask the CA to sign a digital certificate. The RA only examines the application
qualification of an entity. It does not issue any certificate. Sometimes, the registration
management function is provided by the CA, in which case no independent RA is
required. H3C recommends that you deploy an independent RA.
Requesting URL
Enter the URL of the RA.
The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
•
In offline mode, this item is optional. In other modes, this item is required.
•
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number, and version of the LDAP server.
An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you
must configure the IP address of the LDAP server..
Port
Version
Request Mode
Select the online certificate request mode, which can be auto or manual.
Password
Set a password for certificate revocation and re-enter it for confirmation.
The two boxes are available only when the certificate request mode is set to Auto..
Confirm Password
Fingerprint Hash
Specify the fingerprint used for verifying the CA root certificate.
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
•
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
•
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
•
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
not verify the CA root certificate, and you yourself must make sure the CA server is
trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure the CA server is trusted.
Fingerprint