beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 291

background image

279

Task Remarks

Requesting a local
certificate

Required
When requesting a certificate, an entity introduces itself to the CA by providing its

identity information and public key, which will be the major components of the
certificate.
A certificate request can be submitted to a CA in online mode or offline mode.

In online mode, if the request is granted, the local certificate will be retrieved to the

local system automatically.

In offline mode, you need to retrieve the local certificate by an out-of-band means.

IMPORTANT:

If a local certificate already exists, you cannot perform the local certificate retrieval

operation. This is to avoid possible mismatch between the local certificate and registration

information resulting from relevant changes. To retrieve a new local certificate, you need
to remove the CA certificate and local certificate first.

Destroying the RSA
key pair

Optional
Destroy the existing RSA key pair and the corresponding local certificate.
If the certificate to be retrieved contains an RSA key pair, you need to destroy the

existing RSA key pair. Otherwise, the retrieving operation will fail.

Retrieving and
displaying a

certificate

Optional
Retrieve an existing certificate and display its information.

IMPORTANT:

Before retrieving a local certificate in online mode, be sure to complete LDAP server

configuration.

Retrieving and
displaying a CRL

Optional
Retrieve a CRL and display its contents.

Recommended configuration procedure for automatic request

Task Remarks

Creating a PKI entity

Required
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
where the identity information is identified by an entity distinguished name (DN). A CA

identifies a certificate applicant uniquely by entity DN.
The identity settings of an entity must be compliant to the CA certificate issue policy.

Otherwise, the certificate request may be rejected.

Creating a PKI
domain

Required
Create a PKI domain, setting the certificate request mode to Auto.
Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.
A PKI domain is intended only for convenience of reference by other applications like

IKE and SSL, and has only local significance.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: