Field | Description | |
X509v3 Authority Key Identifier | Identifier of the CA that issued the certificate and the certificate version | |
(X509v3). | ||
| ||
|
| |
| Pubic key identifier | |
keyid | A CA may have multiple key pairs, and this field identifies which key | |
| pair is used for the CRL signature. | |
|
|
Return to Configuration task list for requesting a certificate manually.
Return to Configuration task list for requesting a certificate automatically.
PKI configuration exampleConfiguring a PKI entity to request a certificate from a CA
Network requirements
As shown in a, configure the Switch working as the PKI entity, so that:
∙The Switch submits a local certificate request to the CA server, which runs the RSA Keon software.
∙The Switch acquires CRLs for certificate verification.
a.Network diagram for configuring a PKI entity to request a certificate from a CA
Configuration procedure
Table 145 Configure the CA server
# Create a CA server named myca.
In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server at first:
∙Nickname: Name of the trusted CA.
∙Subject DN: DN information of the CA, including the Common Name (CN),
∙Organization Unit (OU),
∙Organization (O), and
∙Country (C).
The other attributes may use the default values.
# Configure extended attributes
After configuring the basic attributes, you need to perform configuration on the Jurisdiction Configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior
397