Configuring a PKI domain
A PKI domain contains enrollment information for a PKI entity. It is locally significant and is intended only for reference by other applications like IKE and SSL.
To configure a PKI domain:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a PKI domain and enter its view. | pki domain domain-name | By default, no PKI domains exist. |
3. Specify the trusted CA. | ca identifier name | By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command. |
4. Specify the PKI entity name. | certificate request entity entity-name | By default, no entity is specified. |
5. Specify the type of certificate request reception authority. | certificate request from { ca | ra } | By default, no authority type is specified. |
6. Specify the certificate request URL. | certificate request url url-string | By default, the certificate request URL is not specified. Do not configure this command when you request a certificate in offline mode. |
7. (Optional.) Set the SCEP polling interval and maximum number of polling attempts. | certificate request polling { count count | interval minutes } | By default, the switch polls the CA server for the certificate request status every 20 minutes. The maximum number of polling attempts is 50. |
8. (Optional.) Specify the LDAP server. | ldap-server host hostname [ port port-number ] | This task is required only when the CRL repository is an LDAP server and the URL of the CRL repository does not contain the host name of the LDAP server. By default, no LDAP server is specified. |
9. Enter a fingerprint to be matched against the fingerprint of the root CA certificate. |
| Before a PKI entity can enroll with a CA, it must authenticate the CA by obtaining the self-signed certificate of the CA and verifying the fingerprint of the CA certificate. If a fingerprint is not entered in the PKI domain, and if the CA certificate is imported or obtained through manual certificate request, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the CA certificate is obtained through automatic certificate request, the certificate will be rejected if a fingerprint has not been entered. By default, no fingerprint is specified. |
10. Specify the key pair for certificate request. |
| The public-key ecdsa command is available in Release 1121 and later. By default, no key pair is specified. If the specified key pair does not exist, the PKI entity automatically creates the key pair before submitting a certificate request. For information about creating key pairs, see "Managing public keys." |
11. (Optional.) Specify the intended use for the certificate. | usage { ike | ssl-client | ssl-server } * | By default, the certificate can be used by all applications, including IKE, SSL clients, and SSL server. The extension options contained in an issued certificate depend on the CA policy, and they might be different from those specified in the PKI domain. |
12. (Optional.) Specify a source IP address for the PKI protocol packets. |
| This task is required if the CA policy requires that the CA server accept certificate requests from a specific IP address or subnet. By default, the source IP address of PKI protocol packets is the IP address of their outgoing interface. |