H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 655
68-8
Generating an RSA key pair is an important step in certificate request. The key pair includes a public
key and a private key. The private key is kept by the user, while the public key is transferred to the CA
along with some other information. For detailed information about RSA key pair configuration, refer to
SSH
in H3C WX6103 Access Controller Switch Interface Board Configuration Guide.
Follow these steps to submit a certificate request in manual mode:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter PKI domain view
pki domain
domain-name —
Set the certificate request mode to
manual
certificate request mode manual
Optional
Manual by default
Return to system view
quit
—
Retrieve a CA certificate manually
Refer to
Required
Generate a local RSA key pair
public-key local create rsa
Required
No local RSA key pair exists by
default.
Submit a local certificate request
pki request-certificate domain
domain-name
[ password ]
[ pkcs10 [ filename filename ] ]
Required
z
If a PKI domain has already a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and certificate. To generate a new RSA key pair, delete the local certificate
and then issue the public-key local create rsa command.
z
A newly created key pair will overwrite the existing one. If you perform the public-key local create
rsa
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
z
If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to
avoid inconsistency between the certificate and the enrollment information resulting from
configuration changes. To request a new certificate, use the pki delete-certificate command to
delete the existing local certificate and the CA certificate stored locally.
z
When it is impossible to request a certificate from the CA through SCEP, you can save the request
information by using the pki request-certificate domain command with the pkcs10 and filename
keywords, and then send the file to the CA by an out-of-band means.
z
Make sure the clocks of an entity and the CA are synchronous. Otherwise, the validity period of the
certificate may be abnormal.
z
The pki request-certificate domain configuration will not be saved in the configuration file.