3com 2928 Guida Utente

1-15

Field

Description

keyid

Pubic key identifier
A CA may have multiple key pairs, and this field identifies which

key pair is used for the CRL signature.

Return to

Configuration task list for requesting a certificate manually

Return to

Configuration task list for requesting a certificate automatically

PKI Configuration Example

Configuring a PKI Entity to Request a Certificate from a CA

Network requirements

As shown in

Figure 1-15

, configure the Switch working as the PKI entity, so that:

The Switch submits a local certificate request to the CA server, which runs the RSA Keon software.

The Switch acquires CRLs for certificate verification.

Figure 1-15

Network diagram for configuring a PKI entity to request a certificate from a CA

Configuration procedure

1) Configure the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA
server at first:

Nickname: Name of the trusted CA.

Subject DN: DN information of the CA, including the Common Name (CN),

Organization Unit (OU),

Organization (O), and

Country (C).

The other attributes may use the default values.
# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction
Configuration

page of the CA server. This includes selecting the proper extension profiles, enabling

the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
After completing the above configuration, you need to perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.