Configuring automatic certificate request, Manually requesting a certificate – H3C Technologies H3C S6300 Series Switches User Manual

190

b.

Use the public-key local create to generate a new key pair. The new key pair will automatically

overwrite the old key pair in the domain.

c.

Submit a new certificate request.

•

After a new certificate is obtained, do not use the public-key local create or public-key local destroy

command to generate or destroy a key pair with the same name as the key pair in the local
certificate. Otherwise, the existing local certificate becomes unavailable.

•

A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA or
RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain

can have one local certificate for signature, and one for encryption.

Configuring automatic certificate request

IMPORTANT:

If an automatically requested certificate will soon expire or has expired, the entity does not initiate a
re-request to the CA automatically, and the applications using the certificate might be interrupted.

In auto request mode, a PKI entity automatically submits a certificate request to the CA when an

application works with the PKI entity that does not have a local certificate. For example, when IKE

negotiation uses a digital signature for identity authentication, but no local certificate is available, the
entity automatically submits a certificate request and saves the certificate locally after obtaining it from

the CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI

domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
To configure automatic certificate request:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Set the certificate request
mode to auto.

certificate request mode auto [ password
{ cipher | simple } password ]

By default, the manual
request mode applies.
In auto request mode, set a
password for certificate

revocation if the CA policy

requires the password.

Manually requesting a certificate

Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is

specified for the PKI domain:

•

The CA certificate is used to verify the authenticity and validity of the obtained local certificate.

•

The key pair is used for certificate request. Upon receiving the public key and the identity
information, the CA signs and issues a certificate.

After the CA issues the certificate, the device obtains and saves it locally.
To manually request a certificate: