270
Step Command Remarks
[ length key-length ] | signature
name signature-key-name [ length
key-length ] } * | general name
key-name [ length key-length ] }
• Specify an ECDSA key pair:
{ In non-FIPS mode:
public-key ecdsa name
key-name [ secp192r1 |
secp256r1 | secp384r1 |
secp521r1 ]
{ In FIPS mode:
public-key ecdsa name
key-name [ secp256r1 |
secp384r1 | secp521r1 ]
• Specify a DSA key pair:
public-key dsa name key-name
[ length key-length ]
If the specified key pair does not
exist, the PKI entity automatically
creates the key pair before
submitting a certificate request.
For information about how to
generate DSA, ECDSA, and RSA
key pairs, see "Managing public
key
s."
11. (Optional.) Specify the
intended use for the
certificate.
usage
{
ike
|
ssl-client
|
ssl-server
} *
By default, the certificate can be
used by all supported
applications, including IKE, SSL
client, and SSL server.
The extension options contained
in an issued certificate depend on
the CA policy, and they might be
different from those specified in
the PKI domain.
12. (Optional.) Specify a
source IP address for
the PKI protocol
packets.
• Specify the source IPv4 address for
the PKI protocol packets:
source ip { ip-address | interface
interface-type interface-number }
• Specify the source IPv6 address for
the PKI protocol packets:
source ipv6 { ipv6-address |
interface interface-type
interface-number }
This task is required if the CA
policy requires that the CA server
accept certificate requests from a
specific IP address or subnet.
By default, the source IP address
of PKI protocol packets is the IP
address of their outgoing
interface.
Requesting a certificate
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
• Offline mode—A certificate request is submitted by using an out-of-band method, such as
phone, disk, or email. You can use this mode as required or if you fail to request a certificate in
online mode.
To submit a certificate request in offline mode:
a. Use pki request-certificate domain pkcs10 to print the request information on the
terminal or use pki request-certificate domain pkcs10 filename to save the request
information to a local file.
b. Send the printed information or the saved file to the CA by using an out-of-band method.
• Online mode—A certificate request can be automatically or manually submitted. This section
describes the online request mode.
To Next Page
Loading...
Need help?
General