Example: Requesting a certificate from an RSA Keon CA server

Network configuration

Configure the PKI entity (the device) to request a local certificate from the CA server.

Figure 104: Network diagram

Configuring the RSA Keon CA server

  1. Create a CA server named myca:

    In this example, you must configure these basic attributes on the CA server:

    • Nickname—Name of the trusted CA.

    • Subject DN—DN attributes of the CA, including the common name (CN), organization unit (OU), organization (O), and country (C).

    You can use the default values for other attributes.

  2. Configure extended attributes:

    Configure parameters in the Jurisdiction Configuration section on the management page of the CA server:

    • Select the correct extension profiles.

    • Enable the SCEP autovetting function to enable the CA server to automatically approve certificate requests without manual intervention.

    • Specify the IP address list for SCEP autovetting.

Configuring the device

  1. Synchronize the system time of the device with the CA server for the device to correctly request certificates or obtain CRLs. (Details not shown.)

  2. Create an entity named aaa and set the common name to Device.

    <Device> system-view
    [Device] pki entity aaa
    [Device-pki-entity-aaa] common-name Device
    [Device-pki-entity-aaa] quit
    
  3. Configure a PKI domain:

    # Create a PKI domain named torsa and enter its view.

    [Device] pki domain torsa
    

    # Specify the name of the trusted CA. The setting must be the same as CA name configured on the CA server. This example uses myca.

    [Device-pki-domain-torsa] ca identifier myca
    

    # Configure the URL of the CA server. The URL format is http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

    [Device-pki-domain-torsa] certificate request url http://1.1.2.22:446/80f6214aa8865301d07929ae481c7ceed99f95bd
    

    # Configure the device to send certificate requests to ca.

    [Device-pki-domain-torsa] certificate request from ca
    

    # Set the PKI entity name to aaa.

    [Device-pki-domain-torsa] certificate request entity aaa
    

    # Specify the URL of the CRL repository.

    [Device-pki-domain-torsa] crl url ldap://1.1.2.22:389/CN=myca
    

    # Specify a 1024-bit general-purpose RSA key pair named abc for certificate request.

    [Device-pki-domain-torsa] public-key rsa general name abc length 1024
    [Device-pki-domain-torsa] quit
    
  4. Generate the RSA key pair.

    [Device] public-key local create rsa name abc
    The range of public key modulus is (512 ~ 2048).
    If the key modulus is greater than 512,it will take a few minutes.
    Press CTRL+C to abort.
    Input the modulus length [default = 1024]:
    Generating Keys...
    ..........................++++++
    .....................................++++++
    Create the key pair successfully.
    
  5. Request a local certificate:

    # Obtain the CA certificate and save it locally.

    [Device] pki retrieve-certificate domain torsa ca
    The trusted CA's finger print is:
        MD5  fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB
        SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8
    Is the finger print correct?(Y/N):y
    Retrieved the certificates successfully.
    

    # Submit a certificate request manually and set the certificate revocation password to 1111. The certificate revocation password is required when an RSA Keon CA server is used.

    [Device] pki request-certificate domain torsa password 1111
    Start to request general certificate ...
    ……
    Request certificate of domain torsa successfully
    

Verifying the configuration

# Display information about the local certificate in PKI domain torsa.

[Device] display pki certificate domain torsa local
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            15:79:75:ec:d2:33:af:5e:46:35:83:bc:bd:6e:e3:b8
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=myca
        Validity
            Not Before: Jan  6 03:10:58 2013 GMT
            Not After : Jan  6 03:10:58 2014 GMT
        Subject: CN=Device
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ab:45:64:a8:6c:10:70:3b:b9:46:34:8d:eb:1a:
                    a1:b3:64:b2:37:27:37:9d:15:bd:1a:69:1d:22:0f:
                    3a:5a:64:0c:8f:93:e5:f0:70:67:dc:cd:c1:6f:7a:
                    0c:b1:57:48:55:81:35:d7:36:d5:3c:37:1f:ce:16:
                    7e:f8:18:30:f6:6b:00:d6:50:48:23:5c:8c:05:30:
                    6f:35:04:37:1a:95:56:96:21:95:85:53:6f:f2:5a:
                    dc:f8:ec:42:4a:6d:5c:c8:43:08:bb:f1:f7:46:d5:
                    f1:9c:22:be:f3:1b:37:73:44:f5:2d:2c:5e:8f:40:
                    3e:36:36:0d:c8:33:90:f3:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points:

                Full Name:
                  DirName: CN = myca

    Signature Algorithm: sha1WithRSAEncryption
        b0:9d:d9:ac:a0:9b:83:99:bf:9d:0a:ca:12:99:58:60:d8:aa:
        73:54:61:4b:a2:4c:09:bb:9f:f9:70:c7:f8:81:82:f5:6c:af:
        25:64:a5:99:d1:f6:ec:4f:22:e8:6a:96:58:6c:c9:47:46:8c:
        f1:ba:89:b8:af:fa:63:c6:c9:77:10:45:0d:8f:a6:7f:b9:e8:
        25:90:4a:8e:c6:cc:b8:1a:f8:e0:bc:17:e0:6a:11:ae:e7:36:
        87:c4:b0:49:83:1c:79:ce:e2:a3:4b:15:40:dd:fe:e0:35:52:
        ed:6d:83:31:2c:c2:de:7c:e0:a7:92:61:bc:03:ab:40:bd:69:
        1b:f5

To display detailed information about the CA certificate, use the display pki certificate domain command.