Configuring a PKI domain
A PKI domain contains enrollment information for a PKI entity. It is locally significant and is intended only for use by other applications like IKE and SSL.
Before a PKI entity can enroll with a CA, it must authenticate the CA by obtaining the self-signed certificate of the CA and verifying the fingerprint of the root CA certificate.
You can preconfigure the fingerprint for root CA certificate verification in a PKI domain.
If the CA certificate is imported or obtained through manual certificate request, the device automatically compares the configured fingerprint with the fingerprint in the CA certificate. If the two fingerprints do not match, the device rejects the CA certificate, and the certificate import or request fails. If no fingerprint is configured in the PKI domain, the device displays the fingerprint contained in the CA certificate on the monitor screen and asks you to manually verify the fingerprint.
If the CA certificate is obtained through automatic certificate request, the device automatically verifies the CA certificate's fingerprint by using the fingerprint configured in the PKI domain. If no fingerprint is configured in the domain, the device rejects the certificate.
To configure a PKI domain:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a PKI domain and enter its view. | pki domain domain-name | By default, no PKI domains exist. |
3. Specify the trusted CA. | ca identifier name | By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command. |
4. Specify the PKI entity name. | certificate request entity entity-name | By default, no entity is specified. |
5. Specify the type of certificate request reception authority. | certificate request from { ca | ra } | By default, no authority type is specified. |
6. Specify the certificate request URL. | certificate request url url-string [ vpn-instance vpn-instance-name ] | By default, the certificate request URL is not specified. |
7. (Optional.) Set the SCEP polling interval and maximum number of polling attempts. | certificate request polling { count count | interval interval } | By default, the device polls the CA server for the certificate request status every 20 minutes. The maximum number of polling attempts is 50. |
8. (Optional.) Specify the LDAP server. | ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ] | This task is required only when the CRL repository is an LDAP server and the URL of the CRL repository does not contain the host name of the LDAP server. By default, no LDAP server is specified. |
9. Configure the fingerprint for verifying the root CA certificate. |
| This task is required if the auto certificate request mode is configured in the PKI domain. If the manual certificate request mode is configured, you can skip this task and manually verify the fingerprint of the CA certificate. By default, no fingerprint is configured. |
10. Specify the key pair for certificate request. |
| By default, no key pair is specified. If the specified key pair does not exist, the PKI entity automatically creates the key pair before submitting a certificate request. For information about how to generate DSA, ECDSA, and RSA key pairs, see "Managing public keys." |
11. (Optional.) Specify the intended use for the certificate. | usage { ike | ssl-client | ssl-server } * | By default, the certificate can be used by all applications, including IKE, SSL client, and SSL server. The extension options contained in an issued certificate depend on the CA policy, and they might be different from those specified in the PKI domain. |
12. (Optional.) Specify a source IP address for the PKI protocol packets. |
| This task is required if the CA policy requires that the CA server accept certificate requests from a specific IP address or subnet. By default, the source IP address of PKI protocol packets is the IP address of their outgoing interface. |