Network diagram, Configuration procedure – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 660

Advertising
background image

68-13

Network diagram

Figure 68-2

Diagram for configuring a PKI entity to request a certificate from a CA

Configuration procedure

On the CA server, complete the following configurations:

1) Create a CA server named myca

In this example, you need to configure theses basic attributes on the CA server at first:

z

Nickname: Name of the trusted CA.

z

Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU),
Organization (O), and Country (C).

The other attributes may be left using the default values.

2) Configure extended attributes

After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration
page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.

3) Configure the CRL publishing behavior

After completing the above configuration, you need to perform CRL related configurations. In this
example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.

After the above configuration, make sure that the system clock of the AC is synchronous to that of the
CA, allowing the AC to request certificates and retrieve CRLs properly.

On the AC, perform the following configurations:

4) Configure the entity DN

# Configure the entity name as aaa and the common name as AC.

<AC> system-view

[AC] pki entity aaa

[AC-pki-entity-aaa] common-name AC

[AC-pki-entity-aaa] quit

5) Configure the PKI domain

# Create PKI domain torsa and enter its view.

[AC] pki domain torsa

# Configure the name of the trusted CA as myca.

[AC-pki-domain-torsa] ca identifier myca

# Configure the URL of the enrollment server in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

[AC-pki-domain-torsa] certificate request url

http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337

# Set the registration authority to CA.

Advertising
Popular Brands
Popular manuals