Configuring a PKI entity
A certificate applicant uses an entity to provide its identity information to a CA. A valid PKI entity must include one or more of following identity categories:
Distinguished name (DN) of the entity, which further includes the common name, county code, locality, organization, unit in the organization, and state. If you configure the DN for an entity, a common name is required.
FQDN of the entity.
IP address of the entity.
Whether the categories are required or optional depends on the CA policy. Follow the CA policy to configure the entity settings. For example, if the CA policy requires the entity DN, but you configure only the IP address, the CA rejects the certificate request from the entity.
The SCEP add-on on the Windows 2000 CA server has restrictions on the data length of a certificate request. If a request from a PKI entity exceeds the data length limit, the CA server does not respond to the certificate request. In this case, you can use an out-of-band means to submit the request. Other types of CA servers, such as RSA servers and OpenCA servers, do not have such restrictions.
To configure a PKI entity:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a PKI entity and enter its view. | pki entity entity-name | By default, no PKI entities exist. To create multiple PKI entities, repeat this step. |
3. Configure the DN for the PKI entity. |
| By default, no DN attributes are configured for a PKI entity. If the subject-dn command is configured, the common-name, country, locality, organization, organization-unit, and state commands do not take effect. |
4. Set the FQDN of the entity. | fqdn fqdn-name-string | By default, the FQDN is not set. |
5. Configure the IP address of the entity. | ip { ip-address | interface interface-type interface-number } | By default, the IP address is not configured. |