252
Step Command Remarks
4. Configure the country code
for the entity.
country country-code-str
Optional.
No country code is specified by
default.
5. Configure the FQDN for the
entity.
fqdn name-str
Optional.
No FQDN is specified by default.
6. Configure the IP address for
the entity.
ip ip-address
Optional.
No IP address is specified by
default.
7. Configure the locality for the
entity.
locality locality-name
Optional.
No locality is specified by default.
8. Configure the organization
name for the entity.
organization org-name
Optional.
No organization is specified by
default.
9. Configure the unit name for
the entity.
organization-unit
org-unit-name
Optional.
No unit is specified by default.
10. Configure the state or
province for the entity.
state state-name
Optional.
No state or province is specified by
default.
NOTE:
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity
DN in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
Configuring a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information,
which is referred to as a PKI domain. A PKI domain is only intended for convenient reference by
applications like SSL, and only has local significance. A PKI domain configured on a switch is invisible
to the CA and other switches, and each PKI domain has its own parameters.
A PKI domain defines these parameters:
• Trusted CA—An entity requests a certificate from a trusted CA.
• Entity—A certificate applicant uses an entity to provide its identity information to a CA.
• RA—Generally, an independent RA is in charge of certificate request management. It receives the
registration request from an entity, examines its qualification, and determines whether to ask the CA
to sign a digital certificate. The RA only examines the application qualification of an entity; it does
not issue any certificate. Sometimes, the registration management function is provided by the CA,
in which case no independent RA is required. It is a good practice to deploy an independent RA.
• URL of the registration server—An entity sends a certificate request to the registration server
through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to
communicate with a CA. This URL is also called the certificate request URL.
• Polling interval and count—After an applicant makes a certificate request, the CA might need a
long period of time if it verifies the certificate request manually. During this period, the applicant
To Next Page
Loading...
Need help?
General