233
Configuring automatic certificate request
The device does not support automatic cert
ificate rollover. To avoid service interruptions, yo
u must
manually submit a certificate renewal request before the current certificate expires.
In auto request mode, a PKI entity automatically submits a certificate request to the CA when an
application works with the PKI entity that does not have a local certificate. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
entity automatically submits a certificate request. It saves the certificate locally after obtaining it from
the CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the
PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
To configure automatic certificate request:
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3.
Set the certificate request
mode to auto.
certificate request mode auto
[
password
{
cipher
|
simple
}
password ]
request mode applies.
In auto request mode, set
a password for certificate
revocation as required by
the CA policy.
Manually requesting a certificate
Before you manually submit a certificate request, make sure the CA certificate exists and a key pair
is specified for the PKI domain:
• The CA certificate is used to verify the authenticity and validity of the obtained local certificate.
• The key pair is used for certificate request. Upon receiving the public key and the identity
information, the CA signs and issues a certificate.
After the CA issues the certificate, the device obtains and saves it locally.
To manually request a certificate:
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3.
Set the certificate
request mode to
manual.
certificate request mode manual
By default, the manual request
mode applies.
4. Return to system view.
quit
N/A
5. Obtain the CA
certificate.
See "Obtaining certificates." N/A
6. Submit a certificate
request or generate a
certificate request in
PKCS#10 format.
pki request-certificate domain
domain-name [
password
password ]
[
pkcs10
[
filename
filename ] ]
This command is not saved in
the configuration file.
This command triggers the PKI
entity to automatically generate
To Next Page
Loading...
Need help?
General