Example: Requesting a certificate from an RSA Keon CA server
Network configuration
Configure the PKI entity (the device) to request a local certificate from the CA server.
Figure 104: Network diagram
Configuring the RSA Keon CA server
Create a CA server named myca:
In this example, you must configure these basic attributes on the CA server:
Nickname—Name of the trusted CA.
Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).
You can use the default values for other attributes.
Configure extended attributes:
Configure parameters in the Jurisdiction Configuration section on the management page of the CA server:
Select the correct extension profiles.
Enable the SCEP autovetting function to enable the CA server to automatically approve certificate requests without manual intervention.
Specify the IP address list for SCEP autovetting.
Configuring the device
Synchronize the system time of the device with the CA server for the device to correctly request certificates or obtain CRLs. (Details not shown.)
Create an entity named aaa and set the common name to Device.
<Device> system-view [Device] pki entity aaa [Device-pki-entity-aaa] common-name Device [Device-pki-entity-aaa] quit
Configure a PKI domain:
# Create a PKI domain named torsa and enter its view.
[Device] pki domain torsa
# Specify the name of the trusted CA. The setting must be the same as CA name configured on the CA server. This example uses myca.
[Device-pki-domain-torsa] ca identifier myca
# Configure the URL of the CA server. The URL format is http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.
[Device-pki-domain-torsa] certificate request url http://1.1.2.22:446/80f6214aa8865301d07929ae481c7ceed99f95bd
# Configure the device to send certificate requests to ca.
[Device-pki-domain-torsa] certificate request from ca
# Set the PKI entity name to aaa.
[Device-pki-domain-torsa] certificate request entity aaa
# Specify the URL of the CRL repository.
[Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca
# Specify a 1024-bit general-purpose RSA key pair named abc for certificate request.
[Device-pki-domain-torsa] public-key rsa general name abc length 1024 [Device-pki-domain-torsa] quit
Generate the RSA key pair.
[Device] public-key local create rsa name abc The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512,it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ..........................++++++ .....................................++++++ Create the key pair successfully.
Request a local certificate:
# Obtain the CA certificate and save it locally.
[Device] pki retrieve-certificate domain torsa ca The trusted CA's finger print is: MD5 fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Retrieved the certificates successfully.
# Submit a certificate request manually and set the certificate revocation password to 1111. The certificate revocation password is required when an RSA Keon CA server is used.
[Device] pki request-certificate domain torsa password 1111 Start to request general certificate ... …… Request certificate of domain torsa successfully
Verifying the configuration
# Display information about the local certificate in PKI domain torsa.
[Device] display pki certificate domain torsa local Certificate: Data: Version: 3 (0x2) Serial Number: 15:79:75:ec:d2:33:af:5e:46:35:83:bc:bd:6e:e3:b8 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=myca Validity Not Before: Jan 6 03:10:58 2013 GMT Not After : Jan 6 03:10:58 2014 GMT Subject: CN=Device Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a: a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f: 3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a: 0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16: 7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30: 6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a: dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5: f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40: 3e:36:36:0d:c8:33:90:f3:9b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: Full Name: DirName: CN = myca Signature Algorithm: sha1WithRSAEncryption b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa: 73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af: 25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c: f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8: 25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36: 87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52: ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69: 1b:f5
To display detailed information about the CA certificate, use the display pki certificate domain command.