1224 CHAPTER 97: PKI CONFIGURATION
■ RA
Generally, an independent RA is in charge of certificate request management. It
receives the registration request from an entity, checks its qualification, and
determines whether to ask the CA to sign a digital certificate. The RA only checks
the application qualification of an entity; it does not issue any certificate.
Sometimes, the registration management function is provided by the CA, in which
case no independent RA is required. You are recommended to deploy an
independent RA.
■ URL of the enrollment server
An entity sends a certificate request to the enrollment server through Simple
Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to
communicate with a CA.
■ Polling interval and count
After an applicant makes a certificate request, the CA may need a long period of
time if it verifies the certificate request manually. During this period, the applicant
needs to query the status of the request periodically to get the certificate as soon
as possible after the certificate is signed. You can configure the polling interval and
count to query the request status.
■ IP address of the LDAP server
An LDAP server is usually deployed to store certificates and CRLs. If this is the case,
you need to configure the IP address of the LDAP server.
■ Fingerprint for root certificate validation
Upon receiving the root certificate of the CA, an entity needs to validate the
fingerprint of the root certificate, namely, the hash value of the root certificate
content. This hash value is unique to every certificate. The entity will reject the root
certificate if the fingerprint of the root certificate does not match the one
configured for the PKI domain.
Follow these steps to configure a PKI domain:
To do… Use the command… Remarks
Enter system view system-view -
Create a PKI domain
and enter its view
pki domain domain-name Required
No PKI domain exists by default.
Specify the trusted CA ca identifier name Required
No trusted CA is specified by
default.
Specify the entity for
certificate request
certificate request entity
entity-name
Required
No entity is specified by default.
The specified entity must exist.
Specify the authority for
certificate request
certificate request from { ca
| ra }
Required
No authority is specified by default.
To Next Page
Loading...
