Certificate request from an RSA Keon CA server
Network requirements
The switch submits a local certificate request to the CA server. The switch acquires the CRLs for certificate verification.
Figure 71: Network diagram
Configuring the CA server
Create a CA server named myca:
In this example, you need to configure these basic attributes on the CA server at first:
Nickname—Name of the trusted CA.
Subject DN—DN information of the CA, including the Common Name (CN), Organization Unit (OU), Organization (O), and Country (C).
Use the default values for the other attributes.
Configure extended attributes:
After configuring the basic attributes, perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
Configure the CRL distribution behavior:
After completing the configuration, you must perform CRL related configurations. In this example, select the local CRL distribution mode of Hypertext Transfer Protocol (HTTP) and set the HTTP URL to http://4.4.4.133:447/myca.crl.
After the configuration, make sure the system clock of the switch is synchronous to that of the CA, so that the switch can request certificates and retrieve CRLs properly.
Configuring the switch
Configure the entity name as aaa and the common name as device.
<Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name device [Device-pki-entity-aaa] quit
Configure the PKI domain:
# Create PKI domain torsa and enter its view.
[Device] pki domain torsa
# Configure the name of the trusted CA as myca.
[Device-pki-domain-torsa] ca identifier myca
# Configure the URL of the registration server in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.
[Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337
# Set the registration authority to CA.
[Device-pki-domain-torsa] certificate request from ca
# Specify the entity for certificate request as aaa.
[Device-pki-domain-torsa] certificate request entity aaa
# Configure the URL for the CRL distribution point.
[Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl [Device-pki-domain-torsa] quit
Generate a local key pair using RSA:
[Device] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort. Input the bits in the modulus [default = 1024]: Generating Keys... ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++
Apply for certificates:
# Retrieve the CA certificate and save it locally.
[Device] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while...... The trusted CA's finger print is: MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment...... CA certificates retrieval success.
# Retrieve CRLs and save them locally.
[Device] pki retrieval-crl domain torsa Connecting to server for retrieving CRL. Please wait a while..... CRL retrieval success!
# Request a local certificate manually.
[Device] pki request-certificate domain torsa challenge-word Certificate is being requested, please wait...... [Device] Enrolling the local certificate,please wait a while...... Certificate request Successfully! Saving the local certificate to device...... Done!
Verifying the configuration
# Display information about the retrieved local certificate.
[Device] display pki certificate local domain torsa Certificate: Data: Version: 3 (0x2) Serial Number: 9A96A48F 9A509FD7 05FFF4DF 104AD094 Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn O=org OU=test CN=myca Validity Not Before: Jan 8 09:26:53 2012 GMT Not After : Jan 8 09:26:53 2012 GMT Subject: CN=device Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C 2B Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C
You can also use display pki certificate ca domain and display pki crl domain to display detailed information about the CA certificate and CRLs. For more information about the commands, see Security Command Reference.