249
Step Command Remarks
7. Submit a local certificate
request manually.
pki request-certificate domain
domain-name [ password ]
[
pkcs10
[
filename
filename ] ]
N/A
This command is not saved in the
configuration file.
Retrieving a certificate manually
You can download CA certificates or local certificates from the CA server and save them locally. To
do so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate
by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:
• Locally store the certificates associated with the local security domain for improved query
efficiency and reduced query count.
• Prepare for certificate verification.
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted
from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate
command to delete the existing CA certificate and the local certificate first.
Make sure the device system time falls in the validity period of the certificate so that the certificate is
valid.
To retrieve a certificate manually:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Retrieve a certificate
manually
• In online mode:
pki retrieval-certificate { ca | local }
domain domain-name
• In offline mode:
pki import-certificate { ca | local }
domain domain-name { der | p12 | pem }
[ filename filename ]
Use either command.
The
pki
retrieval-certificate
configuration is not saved
in the configuration file.
Verifying PKI certificates
A certificate needs to be verified before being used. Verifying a certificate will check that the
certificate is signed by the CA and that the certificate has neither expired nor been revoked.
You can specify whether CRL checking is required in certificate verification. If you enable CRL
checking, CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA
certificate and CRLs to the local device before the certificate verification. If you disable CRL checking,
you only need to retrieve the CA certificate.
The CRL update period defines the interval at which the entity downloads CRLs from the CRL server.
The CRL update period setting manually configured on the device is prior to that carried in the CRLs.
To Next Page
Loading...
Need help?
General
