HP A 5120 Manual

Here you can view all the pages of manual HP A 5120 Manual. The HP manuals for Switch are available online for free. You can easily download all the documents as PDF.

Overview View all the pages Comments

Page 201

 
191 
To do… Use the command… Remarks 
Configure the locality for the 
entity locality locality-name Optional 
No locality is specified by default. 
Configure the organization name 
for the entity organization org-name 
Optional 
No organization is specified by 
default. 
Configure the unit name for the 
entity organization-unit org-unit-name Optional 
No unit is specified by default. 
Configure the state or province for 
the entity state state-name 
Optional 
No state or province is specified 
by...

Page 202

 
192 
Follow these steps to configure a PKI domain: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a PKI domain and enter its 
view pki domain domain-name Required 
No PKI domain exists by default. 
Specify the trusted CA ca identifier name 
Required 
No trusted CA is specified by 
default. 
Specify the entity for certificate 
request 
certificate request entity entity-
name 
Required 
No entity is specified by default. 
The specified entity must exist. 
Specify the authority...

Page 203

 
193 
submitted to a CA  in an online mode  or  an offline mode.  In  offline  mode,  a  certificate  request is 
submitted to a CA by an ―out-of-band‖ means such as phone, disk, or email. 
An online certificate request can be submitted in manual mode or auto mode.  
Submitting a certificate request in auto mode 
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate 
for  an  application  working  with  PKI,  and  then  retrieves  the  certificate...

Page 204

 
194 
To do… Use the command… Remarks 
Generate a local RSA key pair public-key local create rsa 
Required 
No local RSA key pair exists by 
default. 
Submit a local certificate request 
manually 
pki request-certificate domain 
domain-name [ password ] [ 
pkcs10 [ filename filename ] ] 
Required 
 
 NOTE: 
 If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the 
key pair and the certificate. To generate a new RSA key pair, delete the local...

Page 205

 
195 
 CAUTION: 
 If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction 
helps avoid inconsistency between the certificate and registration information resulted from configuration 
changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA 
certificate and the local certificate first. 
 The pki retrieval-certificate configuration will not be saved in the configuration file. 
 Be sure that the...

Page 206

 
196 
To do… Use the command… Remarks 
Enter PKI domain view pki domain domain-name — 
Disable CRL checking crl check disable Required 
Enabled by default 
Return to system view quit — 
Retrieve the CA certificate See ―Retrieving a certificate 
manually― Required 
Verify the validity of the certificate pki validate-certificate { ca | local 
} domain domain-name Required 
 
 NOTE: 
 The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server. The CRL 
update...

Page 207

 
197 
Configuring an access control policy 
A certificate  attribute-based access  control  policy  can  further  control  access to  the  server, providing 
additional security for the server. 
Follow these steps to configure a certificate attribute-based access control policy: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a certificate attribute 
group and enter its view 
pki certificate attribute-group 
group-name 
Required 
No certificate attribute group 
exists by...

Page 208

 
198 
 
PKI configuration examples 
 
 CAUTION: 
 When the CA uses Windows Server, the SCEP add-on is required, and you must use the certificate request from 
ra command to specify that the entity request a certificate from an RA.  
 When the CA uses RSA Keon, the SCEP add-on is not required, and you must use the certificate request from 
ca command to specify that the entity request a certificate from a CA.   
Requesting a certificate from a CA running RSA Keon  
 NOTE: 
The CA server runs RSA Keon...

Page 209

 
199 
2. Configure the switch 
 Configure the entity DN 
# Configure the entity name as aaa and the common name as switch. 
 system-view 
[Switch] pki entity aaa 
[Switch-pki-entity-aaa] common-name switch 
[Switch-pki-entity-aaa] quit 
 Configure the PKI domain 
# Create PKI domain torsa and enter its view. 
[Switch] pki domain torsa 
# Configure the name of the trusted CA as myca. 
[Switch-pki-domain-torsa] ca identifier myca 
#  Configure  the  URL  of  the registration server in  the  format  of...

Page 210

 
200 
Is the finger print correct?(Y/N):y 
 
Saving CA/RA certificates chain, please wait a moment...... 
CA certificates retrieval success. 
# Retrieve CRLs and save them locally. 
[Switch] pki retrieval-crl domain torsa 
Connecting to server for retrieving CRL. Please wait a while..... 
CRL retrieval success! 
# Request a local certificate manually. 
[Switch] pki request-certificate domain torsa challenge-word 
Certificate is being requested, please wait...... 
[Switch] 
Enrolling the local...

Start reading HP A 5120 Manual

Related Manuals for HP A 5120 Manual

HP 18108 Instruction Manual
71 pages | HP Switch
HP A 5120 Manual
1464 pages | HP Switch

All HP manuals