191
Ste
Command
Remarks
9. Enter a fingerprint to
be matched against
the fingerprint of the
root CA certificate.
In non-FIPS mode:
root-certificate fingerprint { md5 | sha1 }
string
In FIPS mode:
root-certificate fingerprint sha1 string
Before a PKI entity can enroll with a
CA, it must authenticate the CA by
obtaining the self-signed certificate
of the CA and verifying the
fingerprint of the CA certificate.
If a fingerprint is not entered in the
PKI domain, and if the CA
certificate is imported or obtained
through manual certificate request,
you must verify the fingerprint that
is displayed during authentication
of the CA certificate.
If the CA certificate is obtained
through automatic certificate
request, the certificate will be
rejected if a fingerprint has not
been entered.
By default, no fingerprint is
specified.
10. Specify the key pair for
certificate request.
• Specify an RSA key pair:
public-key rsa { { encryption name
encryption-key-name [ length
key-length ] | signature name
signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
• Specify a DSA key pair:
public-key dsa name key-name
[ length key-length ]
Use at either command.
By default, no key pair is specified.
You can specify a non-existing key
pair, which is generated during the
certificate application.
For information about how to
generate DSA and RSA key pairs,
see "Managing public keys."
11. (Optional.) Specify the
intended use for the
certificate.
usage { ike | ssl-client | ssl-server } *
By default, the certificate can be
used by all applications, including
IKE, SSL clients, and SSL server.
The extension options contained in
an issued certificate depend on the
CA policy, and they might be
different from those specified in the
PKI domain.
12. Specify a source IP
address for the PKI
protocol packets.
• Specify the source IPv4 address for the
PKI protocol packets:
source ip { ip-address | interface
{interface-type interface-number }
• Specify the source IPv6 address for the
PKI protocol packets:
source ipv6 { ipv6-address | interface
{ interface-type interface-number }}
This task is required if the CA
policy requires that the CA server
accept certificate requests from a
specific IP address or subnet.
By default, the source IP address of
PKI protocol packets is the IP
address of their outgoing interface.
To Next Page
Loading...
Need help?
General
