226
To do… Use the command… Remarks
Specify the LDAP server
ldap-server ip ip-address [ port
port-number ] [ version
version-number ]
Optional
No LDP server is specified by
default.
Configure the fingerprint for root
certificate verification
root-certificate fingerprint { md5 |
sha1 } string
Required when the certificate
request mode is auto and optional
when the certificate request mode
is manual. In the latter case, if you
do not configure this command, the
fingerprint of the root certificate
must be verified manually.
No fingerprint is configured by
default.
NOTE:
• Up to two PKI domains can be created on a device.
• The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate
request.
• The URL of the server for certificate request does not support domain name resolution.
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in an online mode or an offline mode. In offline mode, a certificate request is
submitted to a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
Submitting a certificate request in auto mode
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate
for an application working with PKI.
Follow these steps to configure an entity to submit a certificate request in auto mode:
To do… Use the command… Remarks
Enter system view system-view —
Enter PKI domain view pki domain domain-name —
Set the certificate request mode to
auto
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
Required
Manual by default
NOTE:
If a certificate will expire or has expired, the entity does not initiate a re-request automatically, and the
service using the certificate might be interrupted. To have a new local certificate, request one manually.
To Next Page
Loading...
