beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 382

background image

369

Step Remarks

5. Requesting a local certificate

Required
When requesting a certificate, an entity introduces itself to the CA by

providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline
mode.

In online mode, if the request is granted, the local certificate will be

retrieved to the local system automatically.

In offline mode, you need to retrieve the local certificate by an

out-of-band means.

IMPORTANT:

If a local certificate already exists, you cannot perform the local certificate

retrieval operation. This will avoid possible mismatch between the local
certificate and registration information resulting from relevant changes. To

retrieve a new local certificate, you need to remove the CA certificate and
local certificate first.

6. Destroying the RSA key pair

Optional
Destroy the existing RSA key pair and the corresponding local certificate.
If the certificate to be retrieved contains an RSA key pair, you need to

destroy the existing key pair. Otherwise, the retrieving operation will fail.

7. Retrieving a certificate

Optional
Retrieve an existing certificate.

8. Retrieving and displaying a

CRL

Optional
Retrieve a CRL and display its contents.

Recommended configuration procedure for automatic request

Step Remarks

1. Creating a PKI entity

Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and an entity, where an

entity is the collection of the identity information of a user. A CA
identifies a certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate
issue policy. Otherwise, the certificate request might be rejected.

2. Creating a PKI domain

Required
Create a PKI domain, setting the certificate request mode to Auto.
Before requesting a PKI certificate, an entity needs to be configured
with some enrollment information, which is referred to as a PKI

domain.
A PKI domain is intended only for convenience of reference by other

applications like IKE and SSL, and has only local significance.

See also other documents in the category H3C Technologies Routers: