1-13PKI Configuration Examplesz The SCEP plug-in is required when you use the Windows Server as the CA. In this case, whenconfiguring the PKI domain, you need to use the certificate request from ra command to specifythat the entity requests a certificate from an RA.z The SCEP plug-in is not required when RSA Keon is used. In this case, when configuring a PKIdomain, you need to use the certificate request from ca command to specify that the entityrequests a certificate from a CA.Requesting a Certificate from a CA Running RSA KeonThe CA server runs RSA Keon in this configuration example.Network requirementsz The device submits a local certificate request to the CA server.z The device acquires the CRLs for certificate verification.Figure 1-2 Request a certificate from a CA running RSA KeonConfiguration procedure1) Configure the CA server# Create a CA server named myca.In this example, you need to configure these basic attributes on the CA server at first:z Nickname: Name of the trusted CA.z Subject DN: DN information of the CA, including the Common Name (CN), Organization Unit (OU),Organization (O), and Country (C).The other attributes may be left using the default values.# Configure extended attributes.After configuring the basic attributes, you need to perform configuration on the jurisdiction configurationpage of the CA server. This includes selecting the proper extension profiles, enabling the SCEPautovetting function, and adding the IP address list for SCEP autovetting.