245
Step Command Remarks
6. Include the device serial
number in the identity
information of the entity.
include serial-number
By default, the identity information
of an entity does not include the
device serial number.
7. Configure the IP address for
the entity.
ip
ip-address
Optional.
No IP address is specified by
default.
8. Configure the locality for the
entity.
locality
locality-name
Optional.
No locality is specified by default.
9. Configure the organization
name for the entity.
organization
org-name
Optional.
No organization is specified by
default.
10. Configure the unit name for
the entity.
organization-unit
org-unit-name
Optional.
No unit is specified by default.
11. Configure the state or
province for the entity.
state
state-name
Optional.
No state or province is specified
by default.
NOTE:
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
entity DN in a certificate request goes beyond a certain limit, the server will not respond to the
certificate request.
Configuring a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some enrollment
information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of
reference by other applications like IKE and SSL, and has only local significance. The PKI domain
configured on a device is invisible to the CA and other devices, and each PKI domain has its own
parameters.
A PKI domain is defined by these parameters:
• Trusted CA—An entity requests a certificate from a trusted CA.
• Entity—A certificate applicant uses an entity to provide its identity information to a CA.
• RA—Generally, an independent RA is in charge of certificate request management. It receives
the registration request from an entity, examines its qualification, and determines whether to
ask the CA to sign a digital certificate. The RA only examines the application qualification of an
entity. It does not issue any certificate. Sometimes, the registration management function is
provided by the CA, in which case no independent RA is required. Hewlett Packard Enterprise
recommends that you deploy an independent RA.
• URL of the registration server—An entity sends a certificate request to the registration server
through SCEP, a dedicated protocol for an entity to communicate with a CA.
• Polling interval and count—After an applicant makes a certificate request, the CA might need
a long period of time if it verifies the certificate request manually. During this period, the
applicant needs to query the status of the request periodically to get the certificate as soon as
possible after the certificate is signed. You can configure the polling interval and count to query
the request status.
• IP address of the LDAP server—An LDAP server is usually deployed to store certificates and
CRLs. If this is the case, you need to configure the IP address of the LDAP server.
To Next Page
Loading...
Need help?
General
