192
Requesting a certificate
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
• Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or
email. You can use this mode as required or if you fail to request a certificate in online mode.
To submit a certificate request in offline mode:
a. Use pki request-certificate domain pkcs10 to print the request information on the terminal or
use pki request-certificate domain pkcs10 filename to save the request information to a local
file.
b. Send the printed information or the saved file to the CA by an out-of-band means to submit the
request.
• Online mode—A certificate request can be automatically or manually submitted. The following
sections describe the online request mode.
Configuration guidelines
The following guidelines apply to certificate request for an entity in a PKI domain:
• Make sure the device is time synchronized with the CA server. Otherwise, the certificate request
might fail because the certificate might be considered to be outside of the validity period. For
information about how to configure the system time, see Fundamentals Configuration Guide.
• To request a new certificate for a PKI entity that already has a local certificate, perform the following
tasks:
a. Use the pki delete-certificate command to delete the existing local certificate.
b. Use the public-key local create to generate a new key pair. The new key pair will automatically
overwrite the old key pair in the domain.
c. Submit a new certificate request.
• After a new certificate is obtained, do not use the public-key local create or public-key local destroy
command to generate or destroy a key pair with the same name as the key pair in the local
certificate. Otherwise, the existing local certificate becomes unavailable.
• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA or
RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain
can have one local certificate for signature, and one for encryption.
Configuring automatic certificate request
IMPORTANT:
If an automatically requested certificate will soon expire or has expired, the entity does not initiate a
re-request to the CA automatically, and the applications using the certificate might be interrupted.
In auto request mode, a PKI entity which does not have a local certificate automatically submits a
certificate request to the CA when an application works with the PKI entity. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
To Next Page
Loading...
Need help?
General
