PKI Configuration Examples 1231
■ Nickname: Name of the trusted CA.
■ Subject DN: DN information of the CA, including the Common Name (CN),
Organization Unit (OU), Organization (O), and Country (C).
The other attributes may be left using the default values.
2 Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the
jurisdiction configuration page of the CA server. This includes selecting the proper
extension profiles, enabling the SCEP autovetting function, and adding the IP
address list for SCEP autovetting.
3 Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related
configurations. In this example, select the local CRL publishing mode of HTTP and
set the HTTP URL to http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the device is
synchronous to that of the CA, allowing the device to request certificates and
retrieve CRLs properly.
On the Switch, perform the following configurations:
4 Configure the entity DN
# Configure the entity name as aaa and the common name as Switch.
<Switch> system-view
[Switch] pki entity aaa
[Switch-pki-entity-aaa] common-name Switch
[Switch-pki-entity-aaa] quit
5 Configure the PKI domain
# Create PKI domain torsa and enter its view.
[Switch] pki domain torsa
# Configure the name of the trusted CA as myca.
[Switch-pki-domain-torsa] ca identifier myca
# Configure the URL of the enrollment server in the format of
http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a
hexadecimal string generated on the CA server.
[Switch-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337
# Set the registration authority to CA.
[Switch-pki-domain-torsa] certificate request from ca
# Specify the entity for certificate request as aaa.
To Next Page
Loading...
