beautypg.com

H3C Technologies H3C MSR 50 User Manual

Page 487

background image

102

Step Remarks

5. Requesting a local

certificate

Required.
When requesting a certificate, an entity introduces itself to the CA by

providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline
mode.

In online mode, if the request is granted, the local certificate will be

retrieved to the local system automatically.

In offline mode, you must retrieve the local certificate by an out-of-band

means.

IMPORTANT:

If a local certificate already exists, you cannot perform the local certificate

retrieval operation. This restriction avoids inconsistency between the certificate
and the registration information due to configuration changes. To retrieve a

new local certificate, you must remove the CA certificate and local certificate
first.

6. Destroying the RSA key pair

Optional.
If the certificate to be retrieved contains an RSA key pair, you must destroy

the existing RSA key pair. Otherwise, you cannot retrieve the certificate.
Destroying the existing RSA key pair also destroys the corresponding local

certificate.

7. Retrieving and displaying a

certificate

Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.

IMPORTANT:

If you request a certificate in offline mode, you must retrieve the CA
certificate and local certificate by an out-of-band means.

Before retrieving a local certificate in online mode, be sure to complete

LDAP server configuration.

8. Retrieving and displaying a

CRL

Optional.
Retrieve a CRL and display its contents.

Recommended configuration procedure for automatic request

Task Remarks

1. Creating a PKI entity

Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
entity, where the DN shows the identity information of the entity. A CA

identifies a certificate applicant uniquely by an entity DN.
The DN settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected. You must know

the policy to determine which entity parameters are mandatory or optional.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: