70
NOTE:
•
This example assumes that the CA is named new-ca, runs Windows Server, is installed with the Simple
Certificate Enrollment Protocol (SCEP) add-on.
•
Before performing the following configuration, make sure that the device, host, and CA can reach each
other.
1.
Configure the device to act as the HTTPS server
# Configure a PKI entity, configure the common name of the entity as
http-server1
, and the FQDN of the
entity as
ssl.security.com
.
<Device> system-view
[Device] pki entity en
[Device-pki-entity-en] common-name http-server1
[Device-pki-entity-en] fqdn ssl.security.com
[Device-pki-entity-en] quit
# Create a PKI domain, specify the trusted CA as
new-ca
, the URL of the server for certificate request as
http://10.1.2.2/certsrv/mscep/mscep.dll
, authority for certificate request as
RA
, and the entity for
certificate request as
en
.
[Device] pki domain 1
[Device-pki-domain-1] ca identifier new-ca
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Create RSA local key pairs.
[Device] public-key loc al create rsa
# Retrieve the CA certificate from the certificate issuing server.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate from a CA through SCEP for the device.
[Device] pki request-certificate domain 1
# Create an SSL server policy
myssl
, specify PKI domain 1 for the SSL server policy, and enable
certificate-based SSL client authentication.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Create a certificate attribute group
mygroup1
, and configure a certificate attribute rule, specifying that
the Distinguished Name (DN) in the subject name includes the string of new-ca.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute-based access control policy
myacp
. Configure a certificate
attribute-based access control rule, specifying that a certificate is considered valid when it matches an
attribute rule in certificate attribute group
myacp
.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1