Certificate request from an RSA Keon CA server

Network requirements

The device submits a local certificate request to the CA server. The device acquires the CRLs for certificate verification.

Figure 81: Network diagram

Configuring the CA server

  • Create a CA server named myca:

  • In this example, you need to configure these basic attributes on the CA server at first:

    The other attributes might be left using the default values.

  • Configure extended attributes:

  • After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.

  • Configure the CRL distribution behavior:

  • After completing the configuration, you need to perform CRL related configurations. In this example, select the local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl.

    After the configuration, make sure the system clock of the device is synchronous to that of the CA, so that the device can request certificates and retrieve CRLs properly.

    Configuring the device

  • Configure the entity name as aaa and the common name as device.

  • <Router> system-view
    [Device] pki entity aaa
    [Device-pki-entity-aaa] common-name device
    [Device-pki-entity-aaa] quit
    
  • Configure the PKI domain:

  • # Create PKI domain torsa and enter its view.

    [Device] pki domain torsa
    

    # Configure the name of the trusted CA as myca.

    [Device-pki-domain-torsa] ca identifier myca
    

    # Configure the URL of the registration server in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

    [Device-pki-domain-torsa] certificate request url http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337
    

    # Set the registration authority to CA.

    [Device-pki-domain-torsa] certificate request from ca
    

    # Specify the entity for certificate request as aaa.

    [Device-pki-domain-torsa] certificate request entity aaa
    

    # Configure the URL for the CRL distribution point.

    [Device-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl
    [Device-pki-domain-torsa] quit
    
  • Generate a local key pair using RSA:

  • [Device] public-key local create rsa
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is greater than 512,
    It will take a few minutes.
    Press CTRL+C to abort.
    Input the bits in the modulus [default = 1024]:
    Generating Keys...
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++++++++++++++++++++++++++
    +++++++++++++++++++++++
    
    
  • Apply for certificates:

  • # Retrieve the CA certificate and save it locally.

    [Device] pki retrieval-certificate ca domain torsa
    Retrieving CA/RA certificates. Please wait a while......
    The trusted CA's finger print is:
        MD5  fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
        SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8
    
    Is the finger print correct?(Y/N):y
    
    Saving CA/RA certificates chain, please wait a moment......
    CA certificates retrieval success.
    

    # Retrieve CRLs and save them locally.

    [Device] pki retrieval-crl domain torsa
    Connecting to server for retrieving CRL. Please wait a while.....
    CRL retrieval success!
    

    # Request a local certificate manually.

    [Device] pki request-certificate domain torsa challenge-word
    Certificate is being requested, please wait......
    [Device]
    Enrolling the local certificate,please wait a while......
    Certificate request Successfully!
    Saving the local certificate to device......
    Done!
    

    Verifying the configuration

    # Display information about the retrieved local certificate.

    [Device] display pki certificate local domain torsa
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                9A96A48F 9A509FD7 05FFF4DF 104AD094
            Signature Algorithm: sha1WithRSAEncryption
            Issuer:
                C=cn
                O=org
                OU=test
                CN=myca
            Validity
                Not Before: Jan  8 09:26:53 2012 GMT
                Not After : Jan  8 09:26:53 2012 GMT
            Subject:
                CN=device
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00D67D50 41046F6A 43610335 CA6C4B11
                        F8F89138 E4E905BD 43953BA2 623A54C0
                        EA3CB6E0 B04649CE C9CDDD38 34015970
                        981E96D9 FF4F7B73 A5155649 E583AC61
                        D3A5C849 CBDE350D 2A1926B7 0AE5EF5E
                        D1D8B08A DBF16205 7C2A4011 05F11094
                        73EB0549 A65D9E74 0F2953F2 D4F0042F
                        19103439 3D4F9359 88FB59F3 8D4B2F6C
                        2B
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 CRL Distribution Points:
                URI:http://4.4.4.133:447/myca.crl
    
        Signature Algorithm: sha1WithRSAEncryption
            836213A4 F2F74C1A 50F4100D B764D6CE
            B30C0133 C4363F2F 73454D51 E9F95962
            EDE9E590 E7458FA6 765A0D3F C4047BC2
            9C391FF0 7383C4DF 9A0CCFA9 231428AF
            987B029C C857AD96 E4C92441 9382E798
            8FCC1E4A 3E598D81 96476875 E2F86C33
            75B51661 B6556C5E 8F546E97 5197734B
            C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C
    

    You can also use some other display commands (display pki certificate ca domain and display pki crl domain commands) to display detailed information about the CA certificate and CRLs.