HP 5500 Ei 5500 Si Switch Series Configuration Guide

 256 
•  VPN 
A virtual private network (VPN) is a private dat a communication network built on the public 
communication infrastructure. A VPN can leverage  network layer security protocols (for instance, 
IPsec) in conjunction with PKI-based encryp tion and digital signature technologies for 
confidentiality. 
•   Secure email 
Emails require confidentiality, integrity, auth entication, and non-repudiation. PKI can address 
these needs. The secure email protocol that is de veloping rapidly is...

 257 
Task Remarks 
Configuring an access control policy Optional. 
 
Configuring an entity DN 
A certificate is the binding of a public key and the identity information of an entity, where the identity 
information is identified by an entity distinguishe d name (DN). A CA identifies a certificate applicant 
uniquely by entity DN. 
An entity DN is defined by these parameters: 
•   Common name of the entity. 
•   Country code of the entity, a standard 2-character code. For example, CN represents China and...

 258 
Step Command Remarks 
8.  Configure the organization 
name for the entity.  organization
 org-name  Optional. 
No organization is specified by 
default. 
9.
  Configure the unit name for 
the entity.   organization-unit org-unit-name Optional. 
No unit is specified by default. 
10.
 Configure the state or 
province for the entity.  state 
state-name   Optional. 
No state or province is specified by 
default. 
 
 
NOTE: 
The Windows 2000 CA server has some restrictions on the data length of a...

 259 
•  The CA name is required only when you retrieve a CA certificate. It is not used when in local 
certificate request. 
•   The certificate request URL does not support domain name resolution. 
Configuration procedure 
To configure a PKI domain:  
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Create a PKI domain and 
enter its view.  pki domain domain-name
 No PKI domain exists by default. 
3.  Specify the trusted CA. 
ca identifier  name  No trusted CA is specified by...

 260 
Submitting a certificate request in auto mode 
I n  a u t o  m o d e,  a n  e n t i t y  a u t o m a t i c a l l y  re q u e s t s  a  c e r t i f i c a t e  f ro m  t h e  C A  s e r ve r  i f  i t  h a s  n o  l o c a l  c e r t i fi c a t e  
for an application working with PKI, and then retrieves the certificate and saves the certificate locally. 
Before requesting a certificate, if the PKI domain does not have the CA certificate yet, the entity 
automatically retrieves the CA certificate.  
To...

 261 
•  Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the 
certificate will be abnormal. 
•   The configuration made by the  pki request-certificate domain command is not saved in the 
configuration file. 
Configuration procedure 
To submit a certificate request in manual mode:  
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter PKI domain view. 
pki domain domain-name  N/A 
3.  Set the certificate request 
mode to manual....

 262 
Configuration procedure 
To retrieve a certificate manually:   
Step Command  Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Retrieve a certificate 
manually. 
• In online mode: 
pki retrieval-certificate  { ca  | local  } domain  
domain-name  
• In offline mode: 
pki  import-certificate  { ca | local  } domain  
domain -name  { der  |  p12  | pem  }  [  filename  
filename  ]  Use either command. 
 
Configuring PKI certificate verification 
A certificate needs to be verified before being...

 263 
Step Command Remarks 
6.  Return to system view. 
quit  N/A 
7.  Retrieve the CA certificate.  See 
Retrieving a certificate 
manually   N/A 
8.
  Retrieve CRLs.  pki retrieval-crl domain 
domain-name
  N/A 
9.
  Verify the validity of a 
certificate.  pki validate-certificate
 { ca | local  } 
domain  domain-name   N/A 
 
Configuring CRL-checking-disabled PKI certificate verification 
To configure CRL-checking-disabled PKI certificate verification:  
Step Command Remarks 
1.
  Enter system view....

 264 
To delete a certificate:   
Step Command 
1.  Enter system view. 
system-view 
2.  Delete certificates. 
pki delete-certificate { ca | local  } domain  domain -name  
 
Configuring an access control policy 
By configuring a certificate attribute-based access co ntrol policy, you can further control access to the 
server, providing additional security for the server. 
To configure a certificate attribute-based access control policy: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A...

 265 
Task Command Remarks 
Display information about 
certificate attribute groups. display pki certificate 
attribute-group 
{ group-name  | 
all  } [ |  { begin |  exclude | 
include  } regular-expression ]   Available in any view 
Display information about 
certificate attribute-based access 
control policies.  display pki certificate 
access-control-policy { policy-name 
| 
all  } [ |  { begin  | exclude | 
include  } regular-expression ]  Available in any view 
 
PKI configuration examples 
This...