beautypg.com

Requesting a certificate, Configuration guidelines, Required.) – H3C Technologies H3C S6300 Series Switches User Manual

Page 204

background image

189

Step Command

Remarks

11.

(Optional.) Specify the
extended application

of the certificate.

usage { ike | ssl-client | ssl-server } *

By default, the certificate is for all
extended applications, including
IKE, SSL clients, and SSL server.
The extension of a certificate
depends on the certificate user,

and it is not limited by PKI.
The extension options contained in
an issued certificate depend on the

CA policy, and they might be

different from those specified in the

PKI domain.

12.

Specify the source IP

address for the PKI
protocol packets.

Specify the source IPv4 address for the
PKI protocol packets:

source ip { ip-address | interface

{interface-type interface-number }

Specify the source IPv6 address for the

PKI protocol packets:

source ipv6 { ipv6-address | interface

{ interface-type interface-number }}

Required if the CA policy defines
the CA server to accept requests

from a specific IP address or
subnet.
Use one of the commands.
By default, the source IP address is
the outgoing interface IP address of

the route to the CA.

Requesting a certificate

To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.

Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or
email. You can use this mode as required or if you fail to request a certificate in online mode.
To submit a certificate request in offline mode:

a.

Use pki request-certificate domain pkcs10 to print the request information on the terminal or
use pki request-certificate domain pkcs10 filename to save the request information to a local

file.

b.

Send the printed information or the saved file to the CA by an out-of-band means to submit the

request.

Online mode—A certificate request can be automatically or manually submitted. The following
sections describe the online request mode.

Configuration guidelines

The following guidelines apply to certificate request for an entity in a PKI domain:

Make sure the device is time synchronized with the CA server. Otherwise, the certificate request
might fail because the certificate might be considered to be outside of the validity period. For

information about how to configure the system time, see Fundamentals Configuration Guide.

To request a new certificate for a PKI entity that already has a local certificate, perform the following
tasks:

a.

Use the pki delete-certificate command to delete the existing local certificate.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: