1226 CHAPTER 97: PKI CONFIGURATION
Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is kept by the user, while
the public key is transferred to the CA along with some other information. For
detailed information about RSA key pair configuration, refer to “Configuring RSA
and DSA Keys” on page 1111.
Follow these steps to submit a certificate request in manual mode:
n
■ If a PKI domain has already a local certificate, creating an RSA key pair will
result in inconsistency between the key pair and certificate. To generate a new
RSA key pair, delete the local certificate and then issue the public-key local
create rsa command.
■ A newly created key pair will overwrite the existing one. If you perform the
public-key local create rsa command in the presence of a local RSA key pair,
the system will ask you whether you want to overwrite the existing one.
■ If a PKI domain has already a local certificate, you cannot request another
certificate for it. This is to avoid inconsistency between the certificate and the
enrollment information resulting from configuration changes. To request a new
certificate, use the pki delete-certificate command to delete the existing local
certificate and the CA certificate stored locally.
■ When it is impossible to request a certificate from the CA through SCEP, you
can save the request information by using the pki request-certificate
domain command with the pkcs10 and filename keywords, and then send
the file to the CA by an out-of-band means.
■ Make sure the clocks of an entity and the CA are synchronous. Otherwise, the
validity period of the certificate may be abnormal.
■ The pki request-certificate domain configuration will not be saved in the
configuration file.
Retrieving a
Certificate Manually
You can download an existing CA certificate or local certificate from the CA server
and save it locally. To do so, you can use two ways: online and offline. In offline
To do… Use the command… Remarks
Enter system view system-view -
Enter PKI domain view pki domain domain-name -
Set the certificate request
mode to manual
certificate request mode
manual
Optional
Manual by default
Return to system view quit -
Retrieve a CA certificate
manually
Refer to “Retrieving a
Certificate Manually” on page
1226
Required
Generate a local RSA key pair public-key local create rsa Required
No local RSA key pair exists by
default.
Submit a local certificate
request
pki request-certificate
domain domain-name
[ password ] [ pkcs10
[ filename filename ]]
Required
To Next Page
Loading...
