Submitting a pki certificate request, Submitting a certificate request in auto mode, Submitting a certificate request in manual mode – H3C Technologies H3C SecPath F1000-E User Manual
Page 320

308
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
Submitting a certificate request in auto mode
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate
for an application working with PKI. For example, when PKI certificate authentication is used, if no local
certificate is available during IKE negotiation, the entity automatically requests one.
To configure an entity to submit a certificate request in auto mode:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter PKI domain view.
pki domain domain-name N/A
3.
Set the certificate request
mode to auto.
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
Manual by default
NOTE:
If a certificate will expire or has expired, the entity does not initiate a re-request automatically, and the
service using the certificate might be interrupted. To have a new local certificate, request one manually.
Submitting a certificate request in manual mode
In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local
certificate request for an entity.
The goal of retrieving a CA certificate will verify the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key
and a private key. The private key is kept by the user. The public key is transferred to the CA along with
some other information. For more information about RSA key pair configuration, see "Managing public
keys."
Follow these guidelines to request a certificate in manual mode:
•
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate
and then issue the public-key local create command.
•
A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
•
If a PKI domain already has a local certificate, you cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS