203
To achieve the goal, perform the following configurations (see Figure 65):
1. Configure the device to work as the HTTPS server, and request a certificate for the device.
2. Request a certificate for the host so that the device can authenticate the identity of the host.
3. Configure a CA server to issue certificates to the device and the host.
In this example, Windows Server works as the CA server, and the SCEP plug-in is installed on the CA
server.
Before performing the following configurations, make sure that the switch, the host, and the CA server
can reach each other.
Figure 65 Network diagram for SSL server policy configuration
10.1.1.1/24
10.1.2.1/24
Host CA
10.1.1.2/24 10.1.2.2/24
Device
Configuration procedure
1. Configure the HTTPS server (Device).
# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as
ssl.security.com.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as
http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for
certificate request as en.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier ca server
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create the local RSA key pairs.
[Device] public-key local create rsa
# Retrieve the CA certificate.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate for Device.
[Device] pki request-certificate domain 1
# Create an SSL server policy named myssl.
To Next Page
Loading...
Need help?
General