1-15Field DescriptionkeyidPubic key identifierA CA may have multiple key pairs, and this field identifies whichkey pair is used for the CRL signature.Return to Configuration task list for requesting a certificate manually.Return to Configuration task list for requesting a certificate automatically.PKI Configuration ExampleConfiguring a PKI Entity to Request a Certificate from a CANetwork requirementsAs shown in Figure 1-15, configure the Switch working as the PKI entity, so that:z The Switch submits a local certificate request to the CA server, which runs the RSA Keon software.z The Switch acquires CRLs for certificate verification.Figure 1-15 Network diagram for configuring a PKI entity to request a certificate from a CAConfiguration procedure1) Configure the CA server# Create a CA server named myca.In this example, you need to configure the basic attributes of Nickname and Subject DN on the CAserver at first:z Nickname: Name of the trusted CA.z Subject DN: DN information of the CA, including the Common Name (CN),z Organization Unit (OU),z Organization (O), andz Country (C).The other attributes may use the default values.# Configure extended attributesAfter configuring the basic attributes, you need to perform configuration on the JurisdictionConfiguration page of the CA server. This includes selecting the proper extension profiles, enablingthe SCEP autovetting function, and adding the IP address list for SCEP autovetting.# Configure the CRL publishing behaviorAfter completing the above configuration, you need to perform CRL related configurations.In this example, select the local CRL publishing mode of HTTP and set the HTTP URL tohttp://4.4.4.133:447/myca.crl.