Configuring a PKI domain
Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is only intended for convenient reference by applications like SSL, and only has local significance. A PKI domain configured on a switch is invisible to the CA and other switches, and each PKI domain has its own parameters.
A PKI domain defines these parameters:
Trusted CA—An entity requests a certificate from a trusted CA.
Entity—A certificate applicant uses an entity to provide its identity information to a CA.
RA—Generally, an independent RA is in charge of certificate request management. It receives the registration request from an entity, examines its qualification, and determines whether to ask the CA to sign a digital certificate. The RA only examines the application qualification of an entity; it does not issue any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. It is a good practice to deploy an independent RA.
URL of the registration server—An entity sends a certificate request to the registration server through Simple Certification Enrollment Protocol (SCEP), a dedicated protocol for an entity to communicate with a CA. This URL is also called the certificate request URL.
Polling interval and count—After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed. You can configure the polling interval and count to query the request status.
IP address of the LDAP server—An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you must configure the IP address of the LDAP server.
Fingerprint for root certificate verification—After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate content. This hash value is unique to every certificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain, the entity will reject the root certificate.