247
Configuring automatic certificate request
In auto mode, an entity that does not have a local certificate automatically requests a certificate from
the CA server when an application works with the PKI entity. For example, when IKE negotiation
uses a digital signature for identity authentication, but no local certificate is available, the entity
automatically submits a certificate request and saves the certificate locally after obtaining it from the
CA.
A CA certificate must already exist before you request a local certificate. If no CA certificate exists in
the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate
request.
By default, if an automatically requested certificate will expire or has expired, the entity does not
request a new certificate from the CA automatically, and the services using the certificate might be
interrupted. If an automatically requested certificate will expire or has expired, the entity does not
initiate a re-request to the CA automatically, and the services using the certificate might be
interrupted.
To configure an entity to submit a certificate request in auto mode:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3. Set the certificate request
mode to auto.
certificate request mode auto
[
key-length
key-length
|
password
{
cipher
|
simple
}
password
|
before-expire
num-days [
regenerate
] ] *
By default, the manual request
mode applies.
Specify the num-days argument
in the command to enable an
entity to request a new certificate
the specified number of days
before the current certificate
expires.
If the
before-expire
keyword is
specified but the
regenerate
keyword is not specified, an entity
uses the old RSA key pair for
certificate renewal request.
If both the
before-expire
and
regenerate
keywords are
specified, an entity generates a
new RSA key pair each time it
submits a certificate renewal
request. The new RSA key pair
overwrites the old one, which
might interrupt other services that
are using the old RSA key pair.
Therefore, Hewlett Packard
Enterprise recommends that you
use the
public-key rsa general
name
command to designate a
specific RSA key pair for this
purpose.
4. Specify an RSA key pair for
certificate request.
public-key rsa general name
key-name
Optional.
In auto request mode, when an
entity is triggered to submit a
certificate request, the entity
automatically generates an RSA
key pair with the specified name.
To Next Page
Loading...
Need help?
General
