Configuring a PKI domain

A PKI domain contains enrollment information for a PKI entity. It is locally significant and is intended only for reference by other applications like IKE and SSL.

Before enrolling with a CA, a PKI entity must authenticate the CA by obtaining the self-signed certificate of the CA and verifying the fingerprint of the root CA certificate.

You can preconfigure the fingerprint for root CA certificate verification in a PKI domain.

If the CA certificate is imported or obtained through manual certificate request, the device automatically compares the configured fingerprint with the fingerprint in the CA certificate. If the two fingerprints do not match, the device rejects the CA certificate, and the certificate import or request fails. If no fingerprint is configured in the PKI domain, the device displays the fingerprint contained in the CA certificate on the terminal and asks you to manually verify the fingerprint.
If the CA certificate is obtained through automatic certificate request, the device automatically verifies the CA certificate's fingerprint by using the fingerprint configured in the PKI domain. If no fingerprint is configured in the domain, the device rejects the certificate.

To configure a PKI domain:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a PKI domain and enter its view.	pki domain domain-name	By default, no PKI domains exist.
3. Specify the trusted CA.	ca identifier name	By default, no trusted CA is specified. To obtain a CA certificate, the trusted CA name must be provided. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the same CA server. The CA server's URL is specified by using the certificate request url command.
4. Specify the PKI entity name.	certificate request entity entity-name	By default, no entity is specified.
5. Specify the type of certificate request reception authority.	certificate request from { ca \| ra }	By default, no authority type is specified.
6. Specify the certificate request URL.	certificate request url url-string [ vpn-instance vpn-instance-name ]	By default, the certificate request URL is not specified.
7. (Optional.) Set the SCEP polling interval and maximum number of polling attempts.	certificate request polling { count count \| interval interval }	By default, the device polls the CA server for the certificate request status every 20 minutes. The maximum number of polling attempts is 50.
8. (Optional.) Specify the LDAP server.	ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ]	This task is required only when the CRL repository is an LDAP server and the URL of the CRL repository does not contain the host name of the LDAP server. By default, no LDAP server is specified.
9. Configure the fingerprint for verifying the root CA certificate.	In non-FIPS mode:root-certificate fingerprint { md5 \| sha1 } string In FIPS mode:root-certificate fingerprint sha1 string	This task is required if the auto certificate request mode is configured in the PKI domain. If the manual certificate request mode is configured, you can skip this task and manually verify the fingerprint of the CA certificate. By default, no fingerprint is configured.
10. Specify the key pair for certificate request.	Specify an RSA key pair:public-key rsa { { encryption name encryption-key-name [ length key-length ] \| signature name signature-key-name [ length key-length ] } * \| general name key-name [ length key-length ] } Specify an ECDSA key pair:public-key ecdsa name key-name [ secp192r1 \| secp256r1 \| secp384r1 \| secp521r1 ] Specify a DSA key pair:public-key dsa name key-name [ length key-length ]	By default, no key pair is specified. If the specified key pair does not exist, the PKI entity automatically creates the key pair before submitting a certificate request. For information about how to generate DSA, ECDSA, and RSA key pairs, see "Managing public keys."
11. (Optional.) Specify the intended use for the certificate.	usage { ike \| ssl-client \| ssl-server } *	By default, the certificate can be used by all supported applications, including IKE, SSL client, and SSL server. The extension options contained in an issued certificate depend on the CA policy, and they might be different from those specified in the PKI domain.
12. (Optional.) Specify a source IP address for the PKI protocol packets.	Specify the source IPv4 address for the PKI protocol packets:source ip { ip-address \| interface interface-type interface-number } Specify the source IPv6 address for the PKI protocol packets:source ipv6 { ipv6-address \| interface interface-type interface-number }	This task is required if the CA policy requires that the CA server accept certificate requests from a specific IP address or subnet. By default, the source IP address of PKI protocol packets is the IP address of their outgoing interface.

prev	up	next
Configuring a PKI entity	home	Requesting a certificate