TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Configuring a PKI (NSM Procedure)

The Public Key Infrastructure (PKI) feature allows you to configure automatic re-enrollment, Certificate Authority (CA) certificate, CA profile, certificate revocation list (CRL), local certificate, and traceoptions.

To configure the PKI feature:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the PKI feature.
Click the Configuration tab. In the configuration tree, select Security > Pki.
Select the Enable Feature check box to enable this feature.
Enter a comment in the Pki workspace that describes the PKI.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the PKI parameters.

You can now configure the following options:

Configuring Auto Re-enrollment (NSM Procedure)

To configure the auto re-enrollment feature:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the auto re-enrollment feature.
Click the Configuration tab. In the configuration tree, select Security > Pki > Auto Re Enrollment.
Enter a comment in the Auto Re Enrollment workspace that describes the auto re-enrollment feature.
In the configuration tree, select Security > Pki > Auto Re Enrollment > Certificate Id.
Add or modify settings as specified in Table 1.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the auto re-enrollment parameters.

Table 1: Auto Re-enrollment Configuration Details

Option	Function	Your Action
Name	Specifies the name of the certificate ID.	Enter the name of the certificate ID.
Comment	Specifies a descriptive comment for the certificate ID.	Enter a comment.
Ca Profile Name	Specifies the name of the CA profile.	Select the CA profile name from the list.
Challenge Password	Specifies the password used by the CA for enrollment and revocation.	Enter the password.
Re Enroll Trigger Time Percentage	Specifies (in percentage) the re-enrollment trigger time before the expiration.	Set the re-enrollment trigger time. Range: 1 - 99.
Re Generate Keypair	Generates a new key pair for an auto re-enrollment.	Select the Re Generate Keypair check box to enable this feature.

Configuring a CA Profile (NSM Procedure)

The CA Profile feature allows you to configure the administrator, enrollment and revocation list.

To configure the CA profile:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the CA profile.
Click the Configuration tab. In the configuration tree, select Security > Pki > Ca Profile.
Add or modify settings as specified in Table 2.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the CA profile parameters.

Table 2: CA Profile Configuration Details

Option	Function	Your Action
ca-profile
Name	Specifies the name of the CA profile.	Enter the name of the CA profile.
Comment	Supplies a descriptive comment for the CA profile.	(Optional) Enter a comment.
Ca Identity	Specifies the CA identifier.	Enter the CA identifier.
ca-profile > Administrator
Comment	Supplies a descriptive comment for the CA profile administrator.	(Optional) Enter a comment.
Email Address	Specifies the administrators email address where the certificate requests are sent.	Enter the e-mail address.
ca-profile > Enrollment
Comment	Supplies a descriptive comment for the CA profile enrollment.	(Optional) Enter a comment.
Url	Specifies the enrollment URL of the certificate CA.	Enter the enrollment URL of the certificate CA.
Retry	Specifies (in seconds) the number of permissible enrollment retry attempts before terminating.	Set the permissible retry attempts. Range: 0 - 1080.
Retry Interval	Specifies the amount of time between enrollment retries.	Set the enrollment retry interval. Range: 0 - 3600.
ca-profile > Revocation Check
Comment	Supplies a descriptive comment for the revocation check.	(Optional) Enter a comment.
Disable	Disables a revocation check.	Select the Disable check box to disable this feature.
ca-profile > Revocation Check > Crl
Comment	Supplies a descriptive comment for the CRL.	(Optional) Enter a comment.
Refresh Interval	Specifies the CRL refresh interval.	Set the CRL refresh interval. Range: 0 through 8784.
ca-profile > Revocation Check > Crl > Disable
Comment	Supplies a descriptive comment for disabling the CRL.	(Optional) Enter a comment.
On Download Failure	Disables the revocation check for the CRL download failure.	Select the On Download Failure check box to enable this feature.
ca-profile > Revocation Check > Crl > Url
Name	Specifies the URL or CRL distribution point for the CA.	Enter the URL or CRL distribution point for the CA.
Comment	Supplies a descriptive comment for the URL or CRL distribution point for CA.	Enter a comment. (Optional)
Password	Specifies the password for authentication with the server.	Enter the password.

Configuring Traceoptions (NSM Procedure)

The traceoptions feature allows you to configure the file and the flag options.

To configure traceoptions:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the traceoptions.
Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions.
Configure the options as specified in Table 3.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the traceoptions settings.

Table 3: Traceoptions Configuration Details

Option	Function	Your Action
Comment	Supplies a descriptive comment for the traceoptions.	(Optional) Enter a comment.
No Remote Trace	Disables remote tracing.	Select the No Remote Trace check box to enable this feature.

You can now configure the following options:

Configuring the File Options (NSM Procedure)

To configure the file options:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the file options.
Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions > File.
Configure the file options as specified in Table 4.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the file settings.

Table 4: File Configuration Details

Option	Function	Your Action
Comment	Supplies a descriptive comment for the filename.	Enter a comment.
Filename	Specifies the filename to write the traceoptions.	Enter a filename.
Size	Specifies the maximum size of the trace file.	Enter the maximum file size.
Files	Specifies the maximum number of trace files.	Set the maximum number of trace files. Range: 2 through 1000.
None	Specifies that neither the world-readable nor the no-world-readable option is enabled.	Select the option.
world-readable	Allows any user to read the log file.	(Optional) Select the option.
no-world-readable	Prevents any user from reading the log file.	(Optional) Select the option.
Match	Specifies the regular expression for the lines to be logged.	Enter the match expression.

Configuring Flag Options (NSM Procedure)

To configure flag options:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device for which you want to configure the flag options.
Click the Configuration tab. In the configuration tree, select Security > Pki > Traceoptions > Flag.
Add or modify settings as specified in Table 5.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
- Apply—Applies the flag settings.

Table 5: Flag Configuration Details

Option	Function	Your Action
Name	Specifies the trace flag name.	Select a name from the list.
Comment	Supplies a descriptive comment for the trace flag.	Enter a comment.

Note: You can also configure CA Certificates, CRLs, and Local Certificates in PKI configuration.