beautypg.com

Retrieving a certificate manually – H3C Technologies H3C SecBlade LB Cards User Manual

Page 146

background image

135

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the

certificate will be abnormal.

2.

Configuration procedure

To submit a certificate request in manual mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Set the certificate request
mode to manual.

certificate request mode manual

Optional.
Manual by default.

4.

Return to system view.

quit

N/A

5.

Retrieve a CA certificate
manually.

See "

Retrieving a certificate

manually

"

N/A

6.

Generate a local RSA key
pair.

public-key local create rsa

No local RSA key pair exists by
default.

7.

Submit a local certificate
request manually.

pki request-certificate domain
domain-name [ password ]

[ pkcs10 [ filename filename ] ]

N/A
This command is not saved in the

configuration file.

Retrieving a certificate manually

You can download CA certificates, or local certificates from the CA server and save them locally. To do

so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an
out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:

Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count.

Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted from

configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete

the existing CA certificate and the local certificate first.
Be sure that the device system time falls in the validity period of the certificate so that the certificate is
valid.
To retrieve a certificate manually:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: