388
Return to Configuration task list for requesting a certificate manually.
Return to Configuration task list for requesting a certificate automatically.
PKI configuration example
Configuring a PKI entity to request a certificate from a CA
Network requirements
As shown in Figure 361, configure the Switch working as the PKI entity, so that:
ï‚· The Switch submits a local certificate request to the CA server, which runs the RSA Keon software.
ï‚· The Switch acquires CRLs for certificate verification.
Figure 361 Network diagram for configuring a PKI entity to request a certificate from a CA
Configuration procedure
1. Configure the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server
at first:
ï‚· Nickname: Name of the trusted CA.
ï‚· Subject DN: DN information of the CA, including the Common Name (CN),
ï‚· Organization Unit (OU),
ï‚· Organization (O), and
ï‚· Country (C).
The other attributes may use the default values.
# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the
SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the above configuration, make sure that the system clock of the Switch is synchronous to that of the
CA, so that the Switch can request certificates and retrieve CRLs properly.
2. Configure Switch
# Create a PKI entity.
To Next Page
Loading...
Need help?
General
