Submitting a certificate request in auto mode, Submitting a certificate request in manual mode – H3C Technologies H3C SecBlade LB Cards User Manual

134

submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to

a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.

Submitting a certificate request in auto mode

In auto mode, an entity automatically requests a certificate from the CA server and saves the local

certificate if it has no local certificate for an application working with PKI. If the PKI domain has no CA

certificate before the entity submits the certificate request, the entity automatically retrieves the CA
certificate first.
If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request

to the CA automatically, and the services using the certificate might be interrupted.
To configure an entity to submit a certificate request in auto mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Set the certificate request

mode to auto.

certificate request mode auto [ key-length key-length |
password { cipher | simple } password ] *

Manual by
default.

Submitting a certificate request in manual mode

In manual mode, you must submit a local certificate request for an entity. Before the request, you must
retrieve a CA certificate and generate a key pair for the PKI domain.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating a key pair is an important step in certificate request. The key pair includes a public key and

a private key. The private key is kept by the user. The public key is transferred to the CA along with some

other information. For more information about RSA key pair configuration, see "Managing public keys."

1.

Configuration guidelines

•

If a PKI domain already has a local certificate, creating an RSA key pair might result in
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the

local certificate and then execute the public-key local create command. For more information about

the public-key local create command, see Security Command Reference.

•

A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.

•

If a PKI domain already has a local certificate, you cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from

configuration changes. Before requesting a new certificate, use the pki delete-certificate command

to delete the existing local certificate and the CA certificate stored locally.

•

When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or

saved file to the CA by an out-of-band means. To print the request information, use the pki
request-certificate domain command with the pkcs10 keyword. To save the request information to

a local file, use the pki request-certificate domain command with the pkcs10 filename filename

option.