1-6Configuring a PKI DomainBefore requesting a PKI certificate, an entity needs to be configured with some enrollment information,which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference byother applications like IKE and SSL, and has only local significance. The PKI domain configured on adevice is invisible to the CA and other devices, and each PKI domain has its own parameters.A PKI domain is defined by these parameters:z Trusted CAAn entity requests a certificate from a trusted CA.z EntityA certificate applicant uses an entity to provide its identity information to a CA.z RAGenerally, an independent RA is in charge of certificate request management. It receives theregistration request from an entity, checks its qualification, and determines whether to ask the CA tosign a digital certificate. The RA only checks the application qualification of an entity; it does not issueany certificate. Sometimes, the registration management function is provided by the CA, in which caseno independent RA is required. You are recommended to deploy an independent RA.z URL of the registration serverAn entity sends a certificate request to the registration server through Simple Certification EnrollmentProtocol (SCEP), a dedicated protocol for an entity to communicate with a CA.z Polling interval and countAfter an applicant makes a certificate request, the CA may need a long period of time if it verifies thecertificate request manually. During this period, the applicant needs to query the status of the requestperiodically to get the certificate as soon as possible after the certificate is signed. You can configure thepolling interval and count to query the request status.z IP address of the LDAP serverAn LDAP server is usually deployed to store certificates and CRLs. If this is the case, you need toconfigure the IP address of the LDAP server.z Fingerprint for root certificate verificationUpon receiving the root certificate of the CA, an entity needs to verify the fingerprint of the rootcertificate, namely, the hash value of the root certificate content. This hash value is unique to everycertificate. If the fingerprint of the root certificate does not match the one configured for the PKI domain,the entity will reject the root certificate.Follow these steps to configure a PKI domain:To do… Use the command… RemarksEnter system view system-view —Create a PKI domain and enterits view pki domain domain-nameRequiredNo PKI domain exists bydefault.Specify the trusted CA ca identifier nameRequiredNo trusted CA is specified bydefault.