Requesting A Certificate From An Openca Server - HP FlexNetwork 10500 Series Security Configuration Manual

To display detailed information about the CA certificate, use the display pki certificate domain
command.

Requesting a certificate from an OpenCA server

Network requirements
Configure the PKI entity (the device) to request a local certificate from the CA server.
Figure 81 Network diagram
Configuring the OpenCA server
The configuration is not shown. For information about how to configure an OpenCA server, see
related manuals.
When you configure the CA server, use the OpenCA version later than version 0.9.2 because the
earlier versions do not support SCEP.
Configuring the device
1. Synchronize the device's system time with the CA server for the device to correctly request
certificates. (Details not shown.)
2. Create a PKI entity named aaa and configure the common name, country code, organization
name, and OU for the entity.
<Device> system-view
[Device] pki entity aaa
[Device-pki-entity-aaa] common-name rnd
[Device-pki-entity-aaa] country CN
[Device-pki-entity-aaa] organization test
[Device-pki-entity-aaa] organization-unit software
[Device-pki-entity-aaa] quit
3. Configure a PKI domain:
# Create a PKI domain named openca and enter its view.
[Device] pki domain openca
# Set the name of the trusted CA to myca.
[Device-pki-domain-openca] ca identifier myca
# Configure the certificate request URL. The URL is in the format http://host/cgi-bin/pki/scep,
where host is the host IP address of the OpenCA server.
[Device-pki-domain-openca] certificate request url
http://192.168.222.218/cgi-bin/pki/scep
# Configure the device to send certificate requests to ra.
[Device-pki-domain-openca] certificate request from ra
# Set the PKI entity name to aaa.
[Device-pki-domain-openca] certificate request entity aaa
# Configure a 1024-bit general-purpose RSA key pair named abc for certificate request.
[Device-pki-domain-openca] public-key rsa general name abc length 1024
[Device-pki-domain-openca] quit
262