No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Manual Certificate Enrollment

Example for Configuring Manual Certificate Enrollment

Networking Requirements

Configure the PKI entity on the Router to apply for a certificate from a CA server, as shown in Figure 15-6.

Figure 15-6  Configuring a PKI entity to request a certificate from a CA server

Configuration Roadmap

  1. Configure a PKI entity to identify a certificate applicant.
  2. Configure a PKI domain and specify identity information required for certificate enrollment, including the trusted CA name, bound entity name, enrollment URL, and CA certificate fingerprint.
  3. Enroll the certificate manually.

Procedure

  1. Configure a PKI entity to identify a certificate applicant.

    # Configure a PKI entity user01.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] pki entity user01
    [Router-pki-entity-user01] common-name hello
    [Router-pki-entity-user01] country cn
    [Router-pki-entity-user01] state jiangsu
    [Router-pki-entity-user01] organization huawei
    [Router-pki-entity-user01] organization-unit info
    [Router-pki-entity-user01] quit
    

  2. Configure a PKI domain and specify the identity information required for certificate enrollment in the PKI domain.

    # Configure the trusted CA, bound entity, enrollment URL, and CA certificate fingerprint.

    [Router] pki realm abc
    [Router-pki-realm-abc] ca id ca_root
    [Router-pki-realm-abc] entity user01
    [Router-pki-realm-abc] enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
    [Router-pki-realm-abc] fingerprint sha2 7A34D94624B1C1BCBF6D763C4A67035D5B578EAF7A34D94624B1C1BCBF6D763C
    [Router-pki-realm-abc] quit

  3. Enroll the certificate manually.

    [Router] pki enroll-certificate abc
     Create a challenge password. You will need to verbally provide this password to
     the CA Administrator in order to revoke your certificate.
     For security reasons your password will not be saved in the configuration. Plea
    se make a note of it.
     Choice no password ,please enter the enter-key.
     Please enter Password:
     Start certificate enrollment ...
     Certificate is enrolling now,It will take a few minutes or more.  
     Please waiting...
     The certificate enroll successful.
    

    You will be prompted to enter the password during certificate enrollment. If you do not have a password, press Enter.

  4. Verify the configuration.

    After the preceding configurations are complete, the CA issues a certificate to the PKI entity. In the certificate information, the issued to field value is the entity common name hello.

    Run the display pki certificate local command on the PKI entity to view the certificate.

    [Router] display pki certificate local abc
    Certificate
      Status : Available
      Version: 3
      Serial Number:
        19 36 41 af 00 00 00 00 02 ba
      Subject:
        C=CN
        ST=jiangsu
        O=huawei
        OU=info
        CN=hello
    
      Associated Pki Realm : abc
    
    Total Number: 1

Configuration Files

Configuration file of the Router

#
 sysname Router
#
pki entity user01
 country CN
 state jiangsu
 organization huawei
 organization-unit info
 common-name hello
#
pki realm abc
 ca id ca_root
 enrollment-url http://10.137.145.158:8080/certsrv/mscep/mscep.dll ra
 entity user01
 fingerprint sha2 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf7a34d94624b1c1bcbf6d763c
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13319

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next