Configuring a PKI domain

Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like SSL, and has only local significance. The PKI domain configured on a device is invisible to the CA and other devices, and each PKI domain has its own parameters.

A PKI domain is defined by these parameters:

To configure a PKI domain:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a PKI domain and enter its view.

pki domain domain-name

No PKI domain exists by default.

You can configure up to 32 PKI domains on a device.

3. Specify the trusted CA.

ca identifier name

No trusted CA is specified by default.

The CA name is required only when you retrieve a CA certificate. It is not used for local certificate request.

4. Specify the entity for certificate request.

certificate request entity entity-name

No entity is specified by default.

The specified entity must exist.

5. Specify the authority for certificate request.

certificate request from { ca | ra }

No authority is specified by default.

6. Configure the URL of the server for certificate request.

certificate request url url-string

No URL is configured by default.

The URL does not support domain name resolution.

7. Configure the polling interval and attempt limit for querying the certificate request status.

certificate request polling { count count | interval minutes }

Optional.

The polling is executed for up to 50 times at the interval of 20 minutes by default.

8. Specify the LDAP server.

ldap-server ip ip-address [ port port-number ] [ version version-number ]

Optional.

No LDP server is specified by default.

9. Configure the fingerprint for root certificate verification.

root-certificate fingerprint { md5 | sha1 } string

Required when the certificate request mode is auto and optional when the certificate request mode is manual. In the latter case, if you do not configure this command, the fingerprint of the root certificate must be verified manually.

No fingerprint is configured by default.