1-9
z If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local
certificate and then issue the public-key local create command. For information about the
public-key local create command, refer to Public Key Commands.
z A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
z If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to
avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before request a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
z When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki
request-certificate domain command with the pkcs10 keyword. To save the request information
to a local file, use the pki request-certificate domain command with the pkcs10 filename
filename keyword and argument combination.
z Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate will be abnormal.
z The pki request-certificate domain configuration will not be saved in the configuration file.
Retrieving a Certificate Manually
You can download an existing CA certificate, or local certificate, from the CA server and save it locally.
To do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate by
an out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.
Certificate retrieval serves two purposes:
z Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count,
z Prepare for certificate verification.
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
Follow these steps to retrieve a certificate manually:
To do… Use the command… Remarks
Enter system view
system-view
—
Online
pki retrieval-certificate { ca | local }
domain domain-name
Retrieve a
certificate
manually
Offline
pki import-certificate { ca | local }
domain domain-name { der | p12 | pem }
[ filename filename ]
Required
Use either
command.
To Next Page
Loading...
Need help?
General