Retrieving a certificate manually – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

274

Step Command

Remarks

5.

Retrieve a CA certificate
manually.

See "

Retrieving a certificate

manually

"

N/A

6.

Generate a local RSA key
pair.

public-key local create rsa

No local RSA key pair exists by
default.

7.

Submit a local certificate
request manually.

pki request-certificate domain
domain-name [ password ]

[ pkcs10 [ filename filename ] ]

N/A

NOTE:
•

If a PKI domain already has a local certificate, creating an RSA key pair results in inconsistency between
the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then
issue the public-key local create command. For more information about the public-key local create

command, see

Security Command Reference.

•

A newly created key pair overwrites the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system prompts you whether you want to overwrite
the existing one.

•

If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps
avoid inconsistency between the certificate and the registration information resulting from configuration

changes. Before requesting a new certificate, use the pki delete-certificate command to delete the

existing local certificate and the CA certificate stored locally.

•

When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or

saved file to the CA by an out-of-band means. To print the request information, use the pki

request-certificate domain command with the pkcs10 keyword. To save the request information to a
local file, use the pki request-certificate domain command with the pkcs10 filename

filename option.

•

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate will be abnormal.

•

The pki request-certificate domain configuration will not be saved in the configuration file.

Retrieving a certificate manually

You can download CA certificates, or local certificates from the CA server and save them locally. To do

so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an

out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:

•

Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count.

•

Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration.
To retrieve a certificate manually:

Step Command

Remarks

1.

Enter system view.

system-view

N/A