No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying for and Updating the Local Certificate Through SCEP

Applying for and Updating the Local Certificate Through SCEP

Context

Two methods are available to apply for the local certificate for a PKI entity through the Simple Certificate Enrollment Protocol (SCEP):

  • Automatic local certificate application and update

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device automatically applies for the local certificate through SCEP. Alternatively, if the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device automatically applies for and updates the local certificate through SCEP.

  • Manual local certificate application

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device is manually triggered to apply for the local certificate through SCEP. If the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device does not automatically apply for and update the local certificate through SCEP.

When you use either of the two methods to apply for the local certificate, the device obtains the CA certificate, saves it to the device storage and automatically imports it to the device memory. Then the device uses the public key in the CA certificate to encrypt its local certificate enrollment request and sends it to CA to apply for a local certificate. Finally the device saves the local certificate to the device storage and imports it to the device memory automatically.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki file-format { der | pem }

    The file format in which the device stores the certificate is configured.

    By default, the device stores the certificate into a PEM file.

  3. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  4. Run ca id ca-name

    A trusted CA is configured for the PKI realm.

    By default, no trusted CA is configured for a PKI realm.

    ca-name specifies the name of a CA server.

  5. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  6. Run rsa local-key-pair key-name

    The RSA key pair used in SCEP-based certificate application is configured.

    By default, the RSA key pair used in SCEP-based certificate application is not configured.

    The RSA key pair specified by key-name must have been created using the pki rsa local-key-pair create command.

  7. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  8. (Optional) Run source interface interface-type interface-number

    The source interface used in TCP connection setup is specified.

    By default, the source interface used in a TCP connection is an egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  9. (Optional) Run enrollment self-signed

    Self-signed certificate obtaining is configured for the PKI realm.

    By default, the certificate in a PKI realm, except the default PKI realm, is obtained in SCEP mode.

    The default certificate obtaining for the PKI realm default is self-signed.

    To implement default HTTPS functions or allow users to access the network temporarily, run this command.

  10. Run enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]

    A CA server URL is configured.

    By default, the CA server URL is not configured.

    Pay attention to the following points:

    • If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.

      server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.

    • If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.

      The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://abc.com?page1, the corresponding URL is http://abc.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.abc.com?page1\x3f), the corresponding URL is http://www.abc.com\x3fpage1\\x3f.

    • If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times parameters.

    • If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.

  11. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    SHA2 algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  12. Run password cipher password

    The challenge password used in SCEP certificate application is configured. The challenge password is also called certificate revocation password.

    By default, the challenge password used in SCEP certificate application is not configured.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  13. Run fingerprint { md5 | sha1 | sha256 } fingerprint

    The CA certificate fingerprint used in CA certificate authentication is configured.

    By default, the CA certificate fingerprint used in CA certificate authentication is not configured.

    The fingerprint needs to be obtained offline from a CA server. For example, when Windows Server 2008 functions as the CA server, access the web page address http://host:port/certsrv/mscep_admin/ to obtain the CA certificate fingerprint. In the web page address, host specifies the CA server's IP address, and port specifies the CA server's port number.

  14. Configure the local certificate application and update mode.
    • Configure automatic application and update of local certificate.

      Run auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]

      The automatic certificate application and update function is enabled.

      By default, the automatic certificate application and update function is disabled.

    • Configure manual local certificate application.

      1. Run quit

        Return to the system view.

      2. Run pki enroll-certificate realm realm-name [ password password ]

        Manual certificate application is configured.

        If the password command is configured, the password parameter does not need to be specified. If both the password command and password parameter are configured, the password parameter setting takes effect.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126607

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next