Configuring a PKI (NSM Procedure)

The Public Key Infrastructure (PKI) feature allows you to configure automatic re-enrollment, Certificate Authority (CA) certificate, CA profile, certificate revocation list (CRL), local certificate, and traceoptions.

To configure the PKI feature:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the PKI feature.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki.
  4. Select the Enable Feature check box to enable this feature.
  5. Enter a comment in the Pki workspace that describes the PKI.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the PKI parameters.

You can now configure the following options:

Configuring Auto Re-enrollment (NSM Procedure)

To configure the auto re-enrollment feature:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the auto re-enrollment feature.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki > Auto Re Enrollment.
  4. Enter a comment in the Auto Re Enrollment workspace that describes the auto re-enrollment feature.
  5. In the configuration tree, select Security > Pki > Auto Re Enrollment > Certificate Id.
  6. Add or modify settings as specified in Table 122.
  7. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the auto re-enrollment parameters.

Table 122: Auto Re-enrollment Configuration Details

OptionFunctionYour Action

Name

Specifies the name of the certificate ID.

Enter the name of the certificate ID.

Comment

Specifies a descriptive comment for the certificate ID.

Enter a comment.

Ca Profile Name

Specifies the name of the CA profile.

Select the CA profile name from the list.

Challenge Password

Specifies the password used by the CA for enrollment and revocation.

Enter the password.

Re Enroll Trigger Time Percentage

Specifies (in percentage) the re-enrollment trigger time before the expiration.

Set the re-enrollment trigger time. Range: 1 - 99.

Re Generate Keypair

Generates a new key pair for an auto re-enrollment.

Select the Re Generate Keypair check box to enable this feature.

Configuring a CA Profile (NSM Procedure)

The CA Profile feature allows you to configure the administrator, enrollment and revocation list.

To configure the CA profile:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the CA profile.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki > Ca Profile.
  4. Add or modify settings as specified in Table 123.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the CA profile parameters.

Table 123: CA Profile Configuration Details

OptionFunctionYour Action

ca-profile

Name

Specifies the name of the CA profile.

Enter the name of the CA profile.

Comment

Supplies a descriptive comment for the CA profile.

(Optional) Enter a comment.

Ca Identity

Specifies the CA identifier.

Enter the CA identifier.

ca-profile > Administrator

Comment

Supplies a descriptive comment for the CA profile administrator.

(Optional) Enter a comment.

Email Address

Specifies the administrators email address where the certificate requests are sent.

Enter the e-mail address.

ca-profile > Enrollment

Comment

Supplies a descriptive comment for the CA profile enrollment.

(Optional) Enter a comment.

Url

Specifies the enrollment URL of the certificate CA.

Enter the enrollment URL of the certificate CA.

Retry

Specifies (in seconds) the number of permissible enrollment retry attempts before terminating.

Set the permissible retry attempts. Range: 0 - 1080.

Retry Interval

Specifies the amount of time between enrollment retries.

Set the enrollment retry interval. Range: 0 - 3600.

ca-profile > Revocation Check

Comment

Supplies a descriptive comment for the revocation check.

(Optional) Enter a comment.

Disable

Disables a revocation check.

Select the Disable check box to disable this feature.

ca-profile > Revocation Check > Crl

Comment

Supplies a descriptive comment for the CRL.

(Optional) Enter a comment.

Refresh Interval

Specifies the CRL refresh interval.

Set the CRL refresh interval. Range: 0 through 8784.

ca-profile > Revocation Check > Crl > Disable

Comment

Supplies a descriptive comment for disabling the CRL.

(Optional) Enter a comment.

On Download Failure

Disables the revocation check for the CRL download failure.

Select the On Download Failure check box to enable this feature.

ca-profile > Revocation Check > Crl > Url

Name

Specifies the URL or CRL distribution point for the CA.

Enter the URL or CRL distribution point for the CA.

Comment

Supplies a descriptive comment for the URL or CRL distribution point for CA.

Enter a comment. (Optional)

Password

Specifies the password for authentication with the server.

Enter the password.

Configuring Traceoptions (NSM Procedure)

The traceoptions feature allows you to configure the file and the flag options.

To configure traceoptions:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the traceoptions.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions.
  4. Configure the options as specified in Table 124.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the traceoptions settings.

Table 124: Traceoptions Configuration Details

OptionFunctionYour Action

Comment

Supplies a descriptive comment for the traceoptions.

(Optional) Enter a comment.

No Remote Trace

Disables remote tracing.

Select the No Remote Trace check box to enable this feature.

You can now configure the following options:

Configuring the File Options (NSM Procedure)

To configure the file options:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the file options.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions > File.
  4. Configure the file options as specified in Table 125.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the file settings.

Table 125: File Configuration Details

OptionFunctionYour Action

Comment

Supplies a descriptive comment for the filename.

Enter a comment.

Filename

Specifies the filename to write the traceoptions.

Enter a filename.

Size

Specifies the maximum size of the trace file.

Enter the maximum file size.

Files

Specifies the maximum number of trace files.

Set the maximum number of trace files. Range: 2 through 1000.

None

Specifies that neither the world-readable nor the no-world-readable option is enabled.

Select the option.

world-readable

Allows any user to read the log file.

(Optional) Select the option.

no-world-readable

Prevents any user from reading the log file.

(Optional) Select the option.

Match

Specifies the regular expression for the lines to be logged.

Enter the match expression.

Configuring Flag Options (NSM Procedure)

To configure flag options:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device for which you want to configure the flag options.
  3. Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions > Flag.
  4. Add or modify settings as specified in Table 126.
  5. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.
    • Apply—Applies the flag settings.

Table 126: Flag Configuration Details

OptionFunctionYour Action

Name

Specifies the trace flag name.

Select a name from the list.

Comment

Supplies a descriptive comment for the trace flag.

Enter a comment.

Note: You can also configure CA Certificates, CRLs, and Local Certificates in PKI configuration.

Related Documentation