251
Configuration guidelines
•
Up to two PKI domains can be created on a switch.
•
The CA name is required only when you retrieve a CA certificate. It is not used when in local
certificate request.
•
The certificate request URL does not support domain name resolution.
Configuration procedure
To configure a PKI domain:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create a PKI domain and
enter its view.
pki domain
domain-name
No PKI domain exists by default.
3.
Specify the trusted CA.
ca
identifier
name
No trusted CA is specified by
default.
4.
Specify the entity for
certificate request.
certificate request entity
entity-name
No entity is specified by default.
The specified entity must exist.
5.
Specify the authority for
certificate request.
certificate request from
{
ca
|
ra
}
No authority is specified by
default.
6.
Configure the certificate
request URL.
certificate request url
url-string
No certificate request URL is
configured by default.
7.
Configure the polling interval
and attempt limit for querying
the certificate request status.
certificate request polling
{
count
count
|
interval
minutes
}
Optional.
The polling is executed for up to 50
times at the interval of 20 minutes
by default.
8.
Specify the LDAP server.
ldap-server
ip
ip-address
[
port
port-number
] [
version
version-number
]
Optional.
No LDP server is specified by
default.
9.
Configure the fingerprint for
root certificate verification.
root-certificate fingerprint
{
md5
|
sha1
}
string
Required when the certificate
request mode is auto and optional
when the certificate request mode
is manual. In the latter case, if you
do not configure this command, the
fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.