246
• Fingerprint for root certificate verification—After receiving the root certificate of the CA, an
entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root
certificate content. This hash value is unique to every certificate. If the fingerprint of the root
certificate does not match the one configured for the PKI domain, the entity will reject the root
certificate.
To configure a PKI domain:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create a PKI domain and
enter its view.
pki domain
domain-name
No PKI domain exists by default.
You can configure up to 32 PKI
domains on a device.
3. Specify the trusted CA.
ca
identifier
name
No trusted CA is specified by
default.
The CA name is required only
when you retrieve a CA
certificate. It is not used for local
certificate request.
4. Specify the entity for
certificate request.
certificate request entity
entity-name
No entity is specified by default.
The specified entity must exist.
5. Specify the authority for
certificate request.
certificate request from
{
ca
|
ra
}
No authority is specified by
default.
6. Configure the URL of the
server for certificate request.
certificate request url
url-string
No URL is configured by default.
The URL does not support
domain name resolution.
7. Configure the polling interval
and attempt limit for querying
the certificate request status.
certificate request polling
{
count
count |
interval
minutes }
Optional.
The polling is executed for up to
50 times at the interval of 20
minutes by default.
8. Specify the LDAP server.
ldap-server
ip
ip-address [
port
port-number ] [
version
version-number ]
Optional.
No LDP server is specified by
default.
9. Configure the fingerprint for
root certificate verification.
root-certificate fingerprint
{
md5
|
sha1
} string
Required when the certificate
request mode is auto and optional
when the certificate request mode
is manual. In the latter case, if you
do not configure this command,
the fingerprint of the root
certificate must be verified
manually.
No fingerprint is configured by
default.
Requesting a PKI certificate
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
To Next Page
Loading...
Need help?
General
