154
To do… Use the command… Remarks
6. Generate a local RSA key
pair.
public-key local create rsa
Required.
No local RSA key pair exists by
default.
7. Submit a local certificate
request manually.
pki request-certificate domain
domain-name [ password ] [
pkcs10 [ filename filename ] ]
Required.
If a PKI domain already has a local certificate, creating an RSA key pair results in inconsistency between
the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then
issue the public-key local create command. For more information about the public-key local create
command, see Security Command Reference.
A newly created key pair overwrites the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system asks whether you want to overwrite the
existing one.
If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps
avoid inconsistency between the certificate and the registration information resulting from configuration
changes. Before requesting a new certificate, use the pki delete-certificate command to delete the
existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file and then send the printed information or saved
file to the CA by an out-of-band method. To print the request information, use the pki request-certificate
domain command with the pkcs10 keyword. To save the request information to a local file, use the pki
request-certificate domain command with the pkcs10 filename filename option.
Make sure that the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate is abnormal.
The pki request-certificate domain configuration is not saved in the configuration file.
Retrieving a certificate manually
You can download CA certificates, local certificates, or peer entity certificates from the CA server and
save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must
retrieve a certificate by an out-of-band method such as FTP, disk, or email, and then import it into the
local PKI system.
Certificate retrieval serves the following purposes:
• Locally stores the certificates associated with the local security domain for improved query
efficiency and reduced query count
• Prepares for certificate verification
Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration.
To retrieve a certificate manually:
To do… Use the command… Remarks
1. Enter system view.
system-view —
To Next Page
Loading...
Need help?
General