248
Manually requesting a certificate
In manual mode, you must submit a local certificate request for an entity. Before the request, you
must retrieve a CA certificate and generate a key pair for the PKI domain.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating a key pair is an important step in certificate request. The key pair includes a public key
and a private key. The private key is kept by the user. The public key is transferred to the CA along
with some other information. For more information about RSA key pair configuration, see "Managing
public keys."
Configuration guidelines
• If a PKI domain already has a local certificate, creating an RSA key pair might result in
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete
the local certificate and then execute the public-key local create command. For more
information about the public-key local create command, see HPE FlexNetwork MSR Router
Series Comware 5 Security Command Reference.
• A newly created key pair will overwrite the existing one. If you perform the public-key local
create command in the presence of a local RSA key pair, the system will ask you whether you
want to overwrite the existing one.
• If a PKI domain already has a local certificate, you cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate
command to delete the existing local certificate and the CA certificate stored locally.
• When it is impossible to request a certificate from the CA through SCEP, you can print the
request information or save the request information to a local file, and then send the printed
information or saved file to the CA by an out-of-band means. To print the request information,
use the pki request-certificate domain command with the pkcs10 keyword. To save the
request information to a local file, use the pki request-certificate domain command with the
pkcs10 filename filename option.
• Make sure the system time of the router is synchronized with the CA server. Otherwise, the
router might fail to request the certificate because wrong system time results in a wrong
judgement on the certificate's validity period.
• In FIPS mode, MD5 certificates cannot be imported.
Configuration procedure
To submit a certificate request in manual mode:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3. Set the certificate request
mode to manual.
certificate request mode
manual
Optional.
Manual by default.
4. Return to system view.
quit
N/A
5. Retrieve a CA certificate
manually.
See "
Retrieving a certificate
manually
"
N/A
6. Generate a local RSA key
pair.
public-key local create rsa
No local RSA key pair exists by
default.
In FIPS mode, the RSA key pair
length is 2048 bits.
To Next Page
Loading...
Need help?
General
