152
•
Fingerprint for root certificate verification
—After receiving the root certificate of the CA, an entity
needs to verify the fingerprint of the root certificate, namely, the hash value of the root certificate
content. This hash value is unique to every certificate. If the fingerprint of the root certificate does
not match the one configured for the PKI domain, the entity rejects the root certificate.
To configure a PKI domain:
To do…
Use the command…
Remarks
1.
Enter system view.
system-view
—
2.
Create a PKI domain and
enter its view.
pki domain
domain-name
Required.
No PKI domain exists by default.
3.
Specify the trusted CA.
ca
identifier
name
Required.
No trusted CA is specified by
default.
4.
Specify the entity for
certificate request.
certificate request entity
entity-
name
Required.
No entity is specified by default.
The specified entity must exist.
5.
Specify the authority for
certificate request.
certificate request from
{
ca
|
ra
}
Required.
No authority is specified by
default.
6.
Configure the certificate
request URL.
certificate request url
url-string
Required.
No certificate request URL is
configured by default.
7.
Configure the polling interval
and attempt limit for querying
the certificate request status.
certificate request polling
{
count
count
|
interval
minutes
}
Optional.
The polling is executed for up to
50 times at the interval of 20
minutes by default.
8.
Specify the LDAP server.
ldap-server
ip
ip-address
[
port
port-number
] [
version
version-
number
]
Optional.
No LDP server is specified by
default.
9.
Configure the fingerprint for
root certificate verification.
root-certificate fingerprint
{
md5
|
sha1
}
string
Required when the certificate
request mode is
auto
and optional
when the certificate request mode
is
manual
. In the latter case, if
you do not configure this
command, the fingerprint of the
root certificate must be verified
manually.
No fingerprint is configured by
default.
Up to two PKI domains can be created on a switch.
The CA name is required only when you retrieve a CA certificate. It is not used for local certificate
requests.
The certificate request URL does not support domain name resolution.