Retrieving a certificate manually – H3C Technologies H3C SecPath F1000-E User Manual

309

•

When it is impossible to request a certificate from the CA through SCEP, you can print the request

information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki

request-certificate domain command with the pkcs10 keyword. To save the request information to

a local file, use the pki request-certificate domain command with the pkcs10 filename filename

option.

•

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate will be abnormal.

To submit a certificate request in manual mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Set the certificate request
mode to manual.

certificate request mode manual

Optional.
Manual by default.

4.

Return to system view.

quit

N/A

5.

Retrieve a CA certificate
manually.

See "

Retrieving a certificate

manually

"

N/A

6.

Generate a local RSA key

pair.

public-key local create rsa

N/A

7.

Submit a local certificate

request manually.

pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]

The pki request-certificate domain
configuration will not be saved in
the configuration file.

NOTE:

In FIPS mode, you cannot import an MD5 certificate.

Retrieving a certificate manually

You can download CA certificates, or local certificates from the CA server and save them locally. To do

so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an

out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:

•

Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count

•

Prepare for certificate verification

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This

restriction helps avoid inconsistency between the certificate and registration information resulted from
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete

the existing CA certificate and the local certificate first.
Make sure the device system time falls in the validity period of the certificate so that the certificate is valid.
To retrieve a certificate manually: