Help Center/ Edge Data Center Management/ User Guide/ System/ About/ Certificate Authority Service/ Configuring the Privacy CA Protocol/ Configuring Privacy CA Protocol Information
Updated on 2022-04-02 GMT+08:00
View PDF
Share

Configuring Privacy CA Protocol Information

Prerequisites

  • In the non-multi-tenant deployment scenarios, if the port used by the privacy CA protocol is not enabled, you need to enable the port on the Certificate Authority Service > Global Configuration > Port Management page.
  • In the multi-tenant deployment scenarios, if the port used by the privacy CA protocol is not enabled, the system administrator needs to enable the port on the Certificate Authority Service > Global Configuration > Port Management page.

Procedure

  1. Choose System > About > Certificate Authority Service from the main menu.
  2. Choose Protocol Configuration > Privacy CA Protocol from the navigation tree on the left.
  3. On the Protocol Configuration tab page, click Modify corresponding to a CA. On the page that is displayed, set required parameters. For detailed parameter descriptions, see Table 1.

    Table 1 Privacy CA protocol parameters

    Parameter

    Description

    Value

    CA

    Name of a CA.

    The CA name cannot be changed.

    Port

    Port number corresponding to the privacy CA protocol.

    The default value is 26805 and cannot be changed.

    Use the validity period in the privacy CA request

    Whether to use the validity period in the privacy CA request when applying for a certificate.

    NOTE:

    If you select Yes, the validity period of a certificate is the intersection of the following four validity periods: validity period of the CA associated with the certificate, validity period set in the certificate profile, validity period set in the associated CA, and validity period set in the CMP request.

    If you select No, the validity period of a certificate is the intersection of the following three validity periods: validity period of the CA associated with the certificate, validity period set in the certificate profile, and validity period set in the associated CA.

    The default value is Yes.

    Challenge value expiration time

    A user sends a challenge value request to the Certificate Authority Service through the privacy CA protocol. If the Certificate Authority Service does not receive the certificate application request within the specified time, the challenge value expires and the verification fails. As a result, the Certificate Authority Service cannot issue the AK certificate.

    The default value is 60 and cannot be changed. The unit is minute.

    Privacy CA protocol request URI

    A user applies for a certificate from the Certificate Authority Service using the privacy CA protocol. The privacy CA protocol request URI has the following two formats:

    • The request URI contains the name of the CA that issues the certificate and the name of the used certificate profile, for example, https://{IP}:26805/pca/v1/caname?certprofile=profilename, where v1 is the API version, caname is the name of the CA that issues the certificate, and profilename is the name of the used certificate profile.
    • The request URI contains only the name of a CA that issues the certificate and does not contain the profile name parameter. The default profile of the CA is used for certificate application. An example of this request is https://{IP}:26805/pca/v1/caname, where v1 is the API version and caname is the name of the CA that issues the certificate.

    The privacy CA protocol request URI cannot be changed.

  4. Click Submit.

Follow-up Procedure

Applying for a certificate based on the privacy CA request URI

Choose Protocol Configuration > Privacy CA Protocol. On the Protocol Configuration tab page, click on the left of a CA name, and copy the privacy CA request protocol URI of the CA for use.

One-way authentication

  • https://IP address:26805/pca/v1/CA name
  • https://IP address:26805/pca/v1/CA name?certprofile=Certificate profile name

For example, https://IP address:26805/pca/v1/caname?certprofile=profilename indicates that a privacy CA request for certificate application is sent to the Certificate Authority Service through the one-way TLS authentication protocol. In the URL, the IP address indicates the IP address of the Certificate Authority Service.

  • The certprofile parameter specifies the end entity profile used for issuing certificates. This parameter is optional. If this parameter is not specified, the default CA profile is used for certificate application.
  • A CA may be associated with multiple profiles. Therefore, the privacy CA protocol request URI may have multiple values. Select a value based on the site requirements.
  • The subject information in the certificate application request must be different from that of the associated CA. Otherwise, certificate application fails.

Related Tasks

  • Viewing privacy CA protocol configuration

    Choose Protocol Configuration > Privacy CA Protocol. On the Protocol Configuration tab page, click on the left of a CA name to view the privacy CA protocol details.

  • Searching for privacy CA protocol configuration

    Choose Protocol Configuration > Privacy CA Protocol. On the Protocol Configuration tab page, enter a CA name in the search box, and click to find the specified CA and view the detailed protocol configuration of the CA. The Certificate Authority Service supports fuzzy search by CA name.