Configuring CMP-based Certificate Management

Configuring CMP-based certificate management involves creating RSA key pairs, configuring entity information, configuring CMP sessions, and obtaining certificates.

Usage Scenario

Two devices need to obtain each other's identity information during an IPsec negotiation. The NetEngine 8000 F can use either a pre-shared key or certificate for identity authentication. If you use certificates for device identity authentication, configure the devices to obtain certificates before they perform an IPsec negotiation.

The NetEngine 8000 F can obtain certificates either using CMP or in outband mode. CMP is recommended to obtain and manage certificates on a CMP-capable network that has many devices deployed.

Pre-configuration Tasks

Before configuring CMP-based certificate management, complete the following tasks:

Complete basic configurations for a CA server so that the CA server can automatically issue certificates.
Ensure that each device has a predefined certificate.

Creating an RSA Key Pair: Before applying for certificates, create RSA key pairs.

Configuring Entity Information: When applying for certificates, an entity must add entity information to a certificate request file and send the file to the CA. The CA uses a piece of important information to describe an entity, and identifies the entity using a unique Distinguished Name (DN).

Configuring CMP Sessions: To configure a CMP session, specify an RSA key pair, a CA server name, and PKI entity information used to obtain a certificate using CMP.

Configuring CMP-based Certificate Management: The following types of CMP requests are used in the CMP-based certificate application process: initialization request (IR) and key update request (KUR).

Verifying the Configuration of CMP-based Certificate Management: After configuring CMP-based certificate management, check the configurations.