HP A 5120 Manual

							 
191 
To do… Use the command… Remarks 
Configure the locality for the 
entity locality locality-name Optional 
No locality is specified by default. 
Configure the organization name 
for the entity organization org-name 
Optional 
No organization is specified by 
default. 
Configure the unit name for the 
entity organization-unit org-unit-name Optional 
No unit is specified by default. 
Configure the state or province for 
the entity state state-name 
Optional 
No state or province is specified 
by default. 
 
 NOTE: 
 Up to two entities can be created on a device. 
 The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the entity DN in 
a certificate request goes beyond a certain limit, the server will not respond to the certificate request.  
Configuring a PKI domain 
Before  requesting  a  PKI  certificate,  an  entity needs  to be  configured  with  some  enrollment  information, 
which  is  referred  to  as  a PKI  domain. A  PKI  domain  is only intended  for convenient reference  by 
applications  like  IKE  and  SSL,  and only has  local  significance. A PKI  domain  configured  on  a  device  is 
invisible to the CA and other devices. 
A PKI domain defines these parameters:  
 Trusted CA—An entity requests a certificate from a trusted CA. 
 Entity—A certificate applicant uses an entity to provide its identity information to a CA.  
 RA—Generally,  an  independent  RA  is  in  charge  of  certificate  request management.  It receives the 
registration request from an entity, checks its qualification, and determines whether to ask the CA to 
sign  a  digital  certificate.  The  RA  only  checks the application  qualification of  an entity;  it  does not 
issue any certificate.  Sometimes,  the  registration  management  function is  provided  by the  CA, in 
which case no independent RA is required. It is a good practice to deploy an independent RA. 
 URL of the registration server—An entity sends a certificate request to the registration server through 
Simple Certification Enrollment Protocol  (SCEP),  a dedicated protocol  for an  entity  to communicate 
with a CA. This URL is also called the certificate request URL. 
 Polling interval and count—After an applicant makes a certificate request, the CA might need a long 
period of time if it verifies the certificate request manually. During this period, the applicant needs to 
query  the  status of  the  request periodically  to  get  the  certificate  as  soon  as  possible after the 
certificate is signed. You can configure the polling interval and count to query the request status. 
 IP  address  of the LDAP  server—An LDAP  server  is  usually deployed to  store  certificates  and  CRLs.  If 
this is the case, you must configure the IP address of the LDAP server. 
 Fingerprint  for  root  certificate verification—Upon receiving the  root  certificate of the  CA, an  entity 
needs  to verify the  fingerprint  of  the  root  certificate—the  hash  value  of  the  root  certificate  content. 
This  hash  value  is  unique  to  every  certificate. If  the  fingerprint  of  the  root  certificate  does  not  match 
the one configured for the PKI domain, the entity will reject the root certificate.   
						

							 
192 
Follow these steps to configure a PKI domain: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a PKI domain and enter its 
view pki domain domain-name Required 
No PKI domain exists by default. 
Specify the trusted CA ca identifier name 
Required 
No trusted CA is specified by 
default. 
Specify the entity for certificate 
request 
certificate request entity entity-
name 
Required 
No entity is specified by default. 
The specified entity must exist. 
Specify the authority for certificate 
request certificate request from { ca | ra } 
Required 
No authority is specified by 
default. 
Configure the URL for certificate 
request certificate request url url-string 
Required 
No certificate request URL is 
configured by default. 
Configure the polling interval and 
attempt limit for querying the 
certificate request status 
certificate request polling { count 
count | interval minutes } 
Optional 
The polling is executed for up to 
50 times at the interval of 20 
minutes by default. 
Specify the LDAP server 
ldap-server ip ip-address [ port 
port-number ] [ version version-
number ] 
Optional 
No LDP server is specified by 
default. 
Configure the fingerprint for root 
certificate verification 
root-certificate fingerprint { md5 | 
sha1 } string 
Required when the certificate 
request mode is auto and optional 
when the certificate request mode 
is manual. In the latter case, if you 
do not configure this command, 
the fingerprint of the root 
certificate must be verified 
manually. 
No fingerprint is configured by 
default. 
 
 NOTE: 
 Up to two PKI domains can be created on a device. 
 The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate request. 
 The certificate request URL does not support domain name resolution.  
Submitting a PKI certificate request 
When  requesting  a  certificate, an  entity  introduces itself  to the CA by providing its  identity information 
and  public  key, which  will be the  major  components  of  the  certificate. A certificate  request can  be  
						

							 
193 
submitted to a CA  in an online mode  or  an offline mode.  In  offline  mode,  a  certificate  request is 
submitted to a CA by an ―out-of-band‖ means such as phone, disk, or email. 
An online certificate request can be submitted in manual mode or auto mode.  
Submitting a certificate request in auto mode 
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate 
for  an  application  working  with  PKI,  and  then  retrieves  the  certificate  and  saves  the  certificate  locally. 
Before  requesting a  certificate,  if  the  PKI  domain  does  not  have  the  CA  certificate  yet,  the  entity 
automatically retrieves the CA certificate. 
Follow these steps to configure an entity to submit a certificate request in auto mode: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter PKI domain view pki domain domain-name — 
Set the certificate request mode to 
auto 
certificate request mode auto [ 
key-length key-length | password 
{ cipher | simple } password ] * 
Required 
Manual by default 
 
 IMPORTANT: 
In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is 
expiring or has expired. After the certificate expires, the service using the certificate might be 
interrupted.  
Submitting a certificate request in manual mode 
In  manual  mode,  you manually submit a  certificate  request  for  an  entity. Before submitting a  certificate 
request,  you  must  ensure  that  an  RSA  key  pair  has  been  generated  and  the  CA  certificate  has  been 
retrieved and saved locally.  
The CA certificate is required to verify the authenticity and validity of a local certificate. The public key of 
the  key  pair  is  an important part  of  the  request  information and  will  be transferred  to  the  CA  along  with 
some  other  information. For more information about  RSA  key  pair  configuration, see  the Security 
Configuration Guide. 
Follow these steps to submit a certificate request in manual mode: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter PKI domain view pki domain domain-name — 
Set the certificate request mode to 
manual certificate request mode manual Optional 
Manual by default 
Return to system view quit — 
Retrieve a CA certificate manually See ―Retrieving a certificate 
manually― ―Required   
						

							 
194 
To do… Use the command… Remarks 
Generate a local RSA key pair public-key local create rsa 
Required 
No local RSA key pair exists by 
default. 
Submit a local certificate request 
manually 
pki request-certificate domain 
domain-name [ password ] [ 
pkcs10 [ filename filename ] ] 
Required 
 
 NOTE: 
 If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the 
key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the 
public-key local create command. For more information about the public-key local create command, see the 
Security Command Reference. 
 A newly created key pair will overwrite the existing one. If you perform the public-key local create command in 
the presence of a local RSA key pair, the system will ask you whether you want to overwrite the existing one. 
 If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid 
inconsistency between the certificate and the registration information resulting from configuration changes. 
Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate 
and the CA certificate stored locally. 
 When it is impossible to request a certificate from the CA through SCEP, save the request information by using 
the pki request-certificate domain command with the pkcs10 and filename keywords, and then send the file to 
the CA by an out-of-band means.  
 Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate 
will be abnormal. 
 The pki request-certificate domain configuration will not be saved in the configuration file.  
Retrieving a certificate manually 
You  can  download  CA  certificates  and local  certificates and  save them locally. To  do  so,  use either  the 
online mode or the offline mode. In offline mode, you must retrieve a certificate by an out-of-band means 
like FTP, disk, or email, and then import it into the local PKI system. 
Certificate retrieval serves two purposes: 
 Locally  store  the  certificates associated  with  the  local  security  domain  for  improved  query  efficiency 
and reduced query count 
 Prepare for certificate verification.  
Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration. 
Follow these steps to retrieve a certificate manually:  
To do… Use the command… Remarks 
Enter system view system-view — 
Retrieve a 
certificate 
manually 
Online pki retrieval-certificate { ca | local } domain 
domain-name Required 
Use either command. Offline 
pki import-certificate { ca | local } domain 
domain-name { der | p12 | pem } [ filename 
filename ] 
  
						

							 
195 
 CAUTION: 
 If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction 
helps avoid inconsistency between the certificate and registration information resulted from configuration 
changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA 
certificate and the local certificate first. 
 The pki retrieval-certificate configuration will not be saved in the configuration file. 
 Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.   
Configuring PKI certificate verification 
A  certificate  needs  to  be verified before  being  used. Verifying a certificate is  to  check whether the 
certificate is signed by the CA and whether the certificate has expired or been revoked.  
Before verifying a certificate, you must retrieve the CA certificate. 
You  can specify whether  CRL  checking is  required in certificate verification.  If you  enable  CRL  checking, 
CRLs will be used in verification of a certificate. 
Configuring CRL-checking-enabled PKI certificate verification 
Follow these steps to configure CRL-checking-enabled PKI certificate verification:  
To do… Use the command… Remarks 
Enter system view system-view — 
Enter PKI domain view pki domain domain-name — 
Specify the URL of the CRL 
distribution point crl url url-string 
Optional 
No CRL distribution point URL is 
specified by default.  
Set the CRL update period crl update-period hours 
Optional 
By default, the CRL update period 
depends on the next update field 
in the CRL file. 
Enable CRL checking crl check enable Optional 
Enabled by default 
Return to system view quit — 
Retrieve the CA certificate See ―Retrieving a certificate 
manually― Required 
Retrieve CRLs pki retrieval-crl domain domain-
name Required 
Verify the validity of a certificate pki validate-certificate { ca | local 
} domain domain-name Required 
 
Configuring CRL-checking-disabled PKI certificate verification 
Follow these steps to configure CRL-checking-disabled PKI certificate verification: 
To do… Use the command… Remarks 
Enter system view system-view —   
						

							 
196 
To do… Use the command… Remarks 
Enter PKI domain view pki domain domain-name — 
Disable CRL checking crl check disable Required 
Enabled by default 
Return to system view quit — 
Retrieve the CA certificate See ―Retrieving a certificate 
manually― Required 
Verify the validity of the certificate pki validate-certificate { ca | local 
} domain domain-name Required 
 
 NOTE: 
 The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server. The CRL 
update period configured manually is prior to that specified in the CRLs. 
 The pki retrieval-crl domain configuration will not be saved in the configuration file. 
 The URL of the CRL distribution point does not support domain name resolution.  
Destroying a local RSA key pair 
A  certificate  has  a lifetime, which  is  determined  by  the CA.  When  the  private  key  leaks  or  the certificate 
is about to expire, destroy the old RSA key pair and then create a pair to request a new certificate.  
Follow these steps to destroy a local RSA key pair:  
To do… Use the command… Remarks 
Enter system view system-view — 
Destroy a local RSA key pair public-key local destroy rsa  Required 
 
 NOTE: 
For more information about the public-key local destroy command, see the Security Command 
Reference.  
Deleting a certificate 
When a certificate requested manually is about to expire or you want to request a new certificate, delete 
the current local certificate or CA certificate. 
Follow these steps to delete a certificate:  
To do… Use the command… Remarks 
Enter system view system-view — 
Delete certificates pki delete-certificate { ca | local } 
domain domain-name Required 
  
						

							 
197 
Configuring an access control policy 
A certificate  attribute-based access  control  policy  can  further  control  access to  the  server, providing 
additional security for the server. 
Follow these steps to configure a certificate attribute-based access control policy: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create a certificate attribute 
group and enter its view 
pki certificate attribute-group 
group-name 
Required 
No certificate attribute group 
exists by default. 
Configure an attribute rule for the 
certificate issuer name, certificate 
subject name, or alternative 
subject name 
attribute id { alt-subject-name { 
fqdn | ip } | { issuer-name | 
subject-name } { dn | fqdn | ip } } 
{ ctn | equ | nctn | nequ } 
attribute-value 
Optional 
No restriction is defined on the 
issuer name, certificate subject 
name and alternative subject 
name by default. 
Return to system view quit — 
Create a certificate attribute-
based access control policy and 
enter its view 
pki certificate access-control-policy 
policy-name 
Required 
No access control policy exists by 
default. 
Configure a certificate attribute-
based access control rule 
rule [ id ] { deny | permit } group-
name 
Required 
No access control rule exists by 
default.  
 
 CAUTION: 
A certificate attribute group must exist to be associated with a rule.  
Displaying and maintaining PKI 
To do… Use the command… Remarks 
Display the contents or request 
status of a certificate 
display pki certificate { { ca | 
local } domain domain-name | 
request-status } [ | { begin | 
exclude | include } regular-
expression ]  
Available in any view 
Display CRLs 
display pki crl domain domain-
name [ | { begin | exclude | 
include } regular-expression ]  
Available in any view 
Display information about one or 
all certificate attribute groups 
display pki certificate attribute-
group { group-name | all } [ | { 
begin | exclude | include } 
regular-expression ]  
Available in any view 
Display information about one or 
all certificate attribute-based 
access control policies 
display pki certificate access-
control-policy { policy-name | all } 
[ | { begin | exclude | include } 
regular-expression ] 
Available in any view   
						

							 
198 
 
PKI configuration examples 
 
 CAUTION: 
 When the CA uses Windows Server, the SCEP add-on is required, and you must use the certificate request from 
ra command to specify that the entity request a certificate from an RA.  
 When the CA uses RSA Keon, the SCEP add-on is not required, and you must use the certificate request from 
ca command to specify that the entity request a certificate from a CA.   
Requesting a certificate from a CA running RSA Keon  
 NOTE: 
The CA server runs RSA Keon in this configuration example.  
Network requirements 
 The device submits a local certificate request to the CA server. 
 The device acquires the CRLs for certificate verification. 
Figure 55 Request a certificate from a CA running RSA Keon 
 
 
Configuration procedure 
1. Configure the CA server 
# Create a CA server named myca. 
In this example, configure these basic attributes on the CA server at first: 
 Nickname—Name of the trusted CA. 
 Subject  DN—DN  information  of  the  CA,  including  the  Common  Name  (CN),  Organization  Unit 
(OU), Organization (O), and Country (C).  
The other attributes might be left using the default values.  
# Configure extended attributes. 
After  configuring  the  basic  attributes,  perform  configuration  on  the  jurisdiction configuration page  of  the 
CA  server.  This  includes  selecting  the  proper  extension  profiles,  enabling  the  SCEP  autovetting  function, 
and adding the IP address list for SCEP autovetting. 
# Configure the CRL distribution behavior. 
After  completing  the  configuration,  you must perform  CRL  related configurations.  In  this  example,  select 
the local CRL distribution mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. 
After the configuration, make sure that the system clock of the device is synchronous to that of the CA, so 
that the device can request certificates and retrieve CRLs properly.     CA server
InternetHost
Switch
PKI entity         
						

							 
199 
2. Configure the switch 
 Configure the entity DN 
# Configure the entity name as aaa and the common name as switch. 
 system-view 
[Switch] pki entity aaa 
[Switch-pki-entity-aaa] common-name switch 
[Switch-pki-entity-aaa] quit 
 Configure the PKI domain 
# Create PKI domain torsa and enter its view. 
[Switch] pki domain torsa 
# Configure the name of the trusted CA as myca. 
[Switch-pki-domain-torsa] ca identifier myca 
#  Configure  the  URL  of  the registration server in  the  format  of  http://host:port/Issuing  Jurisdiction  ID, 
where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server. 
[Switch-pki-domain-torsa] certificate  request  url 
http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 
# Set the registration authority to CA. 
[Switch-pki-domain-torsa] certificate request from ca 
# Specify the entity for certificate request as aaa. 
[Switch-pki-domain-torsa] certificate request entity aaa 
# Configure the URL for the CRL distribution point. 
[Switch-pki-domain-torsa] crl url http://4.4.4.133:447/myca.crl 
[Switch-pki-domain-torsa] quit 
 Generate a local key pair using RSA 
[Switch] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits in the modulus [default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++++++++++++++++++++++++++++++ 
+++++++++++++++++++++++++++++++++++++++++++++++ 
+++++++++++++++++++++++ 
 
 Apply for certificates 
# Retrieve the CA certificate and save it locally. 
[Switch] pki retrieval-certificate ca domain torsa 
Retrieving CA/RA certificates. Please wait a while...... 
The trusted CAs finger print is: 
    MD5  fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB 
    SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 
  
						

							 
200 
Is the finger print correct?(Y/N):y 
 
Saving CA/RA certificates chain, please wait a moment...... 
CA certificates retrieval success. 
# Retrieve CRLs and save them locally. 
[Switch] pki retrieval-crl domain torsa 
Connecting to server for retrieving CRL. Please wait a while..... 
CRL retrieval success! 
# Request a local certificate manually. 
[Switch] pki request-certificate domain torsa challenge-word 
Certificate is being requested, please wait...... 
[Switch] 
Enrolling the local certificate,please wait a while...... 
Certificate request Successfully! 
Saving the local certificate to device...... 
Done! 
3. Verify your configuration 
# Use the following command to view information about the local certificate acquired. 
[Switch] display pki certificate local domain torsa 
Certificate: 
    Data: 
        Version: 3 (0x2) 
        Serial Number: 
            9A96A48F 9A509FD7 05FFF4DF 104AD094 
        Signature Algorithm: sha1WithRSAEncryption 
        Issuer: 
            C=cn 
            O=org 
            OU=test 
            CN=myca 
        Validity 
            Not Before: Jan  8 09:26:53 2011 GMT 
            Not After : Jan  8 09:26:53 2011 GMT 
        Subject: 
            CN=switch 
        Subject Public Key Info: 
            Public Key Algorithm: rsaEncryption 
            RSA Public Key: (1024 bit) 
                Modulus (1024 bit): 
                    00D67D50 41046F6A 43610335 CA6C4B11 
                    F8F89138 E4E905BD 43953BA2 623A54C0 
                    EA3CB6E0 B04649CE C9CDDD38 34015970 
                    981E96D9 FF4F7B73 A5155649 E583AC61 
                    D3A5C849 CBDE350D 2A1926B7 0AE5EF5E 
                    D1D8B08A DBF16205 7C2A4011 05F11094 
                    73EB0549 A65D9E74 0F2953F2 D4F0042F 
                    19103439 3D4F9359 88FB59F3 8D4B2F6C