Requesting a certificate automatically – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 474

41-5

Task

Remarks

Required

When requesting a certificate, an entity introduces itself to the CA by providing its
identity information and public key, which will be the major components of the
certificate.

A certificate request can be submitted to a CA in two ways: online and offline.

In online mode, if the request is granted, the local certificate will be retrieved to the
local system automatically.

In offline mode, you need to retrieve the local certificate by an out-of-band means.

If there is already a local certificate, you cannot perform the local certificate retrieval
operation. This is to avoid possible mismatch between the local certificate and
registration information resulting from relevant changes. To retrieve a new local
certificate, you need to remove the CA certificate and local certificate first.

Destroying the RSA
Key Pair

Optional

Destroy the existing RSA key pair and the corresponding local certificate.

If the certificate to be retrieved contains an RSA key pair, you need to destroy the
existing key pair. Otherwise, the retrieving operation will fail.

Retrieving a
Certificate

Optional

Retrieve an existing certificate.

Retrieving and
Displaying a CRL

Optional

Retrieve a CRL and display its contents.

Requesting a Certificate Automatically

Perform the tasks in

Table 41-2

to configure the PKI system to request a certificate automatically.

Table 41-2 Configuration task list for requesting a certificate automatically

Task

Remarks

Creating a PKI Entity

Required

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection
of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request may be rejected.

Creating a PKI
Domain

Required

Create a PKI domain, setting the certificate request mode to Auto.

Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.

Destroying the RSA
Key Pair

Optional

Destroy the existing RSA key pair and the corresponding local certificate.

If the certificate to be retrieved contains an RSA key pair, you need to destroy the
existing key pair. Otherwise, the retrieving operation will fail.

Retrieving a
Certificate

Optional

Retrieve an existing certificate.

Retrieving and
Displaying a CRL

Optional

Retrieve a CRL and display its contents.

This manual is related to the following products:

H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module