Configuring CMP Sessions

To configure a CMP session, specify an RSA key pair, a CA server name, and PKI entity information used to obtain a certificate using CMP.

Context

If you run the authentication-method rsa-sig command to use certificates for identity authentication, configure a mode for obtaining certificates.

If CMP is used to obtain and manage certificates, the NetEngine 8000 F and CA server establish a CMP session to exchange the information required for generating certificates. Before a CMP session is established, ensure that the NetEngine 8000 F has the following information to establish the CMP session:

  • PKI entity
  • RSA key pair
  • Name of the CA server with which the NetEngine 8000 F establishes the CMP session
  • Certificate for authenticating the identity of the NetEngine 8000 F
  • URL of the CMP server that receives CMP requests

Each digital certificate has a validity period. To ensure service availability, apply for a new certificate before the existing certificate expires. However, manual operation may leave certain certificates not updated. The NetEngine 8000 F supports automatic certificate update. The NetEngine 8000 F initiates a certificate update request to the connected CMPv2 server when the percentage of the certificate's remaining validity period reaches a specified value. The obtained certificate overwrites the certificate on the CF card and in the memory and that used during an IKE negotiation.

Perform the following steps on the NetEngine 8000 F that needs to use CMP to obtain a certificate:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki domain domain-name

    A PKI domain is created, and the PKI domain name configuration view is displayed.

  3. Run pki cmp session session-name

    A CMP session is created, and the CMP session view is displayed.

  4. Run cmp request entity entity-name

    A PKI entity is specified to initiate a CMP request.

  5. Run cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ]

    A local RSA key pair is specified to initiate a CMP request.

    An RSA key pair can be referenced by only one CMP session or PKI domain.

  6. Run cmp request ca-name ca-name

    A CA server is specified by its name to receive CMP requests.

  7. Run cmp request authentication-cert cert-name

    A certificate for device identity authentication is specified to initiate a CMP request.

  8. Run cmp request server url url-address

    A CMP server at a URL is specified to receive CMP requests.

  9. (Optional) Run cmp source interface interface-type interface-number

    The source interface of CMPv2 packets is configured. To be specific, the IP address of the configured source interface is used as the source IP address of the CMPv2 packets sent from the device to the CMPv2 server.

  10. Run commit

    The configuration is committed.

Parent Topic: Configuring CMP-based Certificate Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >