223
• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, or
RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain
can have one local certificate for signature, and one local certificate for encryption.
Configuring automatic certificate request
IMPORTANT:
The device does not support automatic certificate rollover. To avoid service interruptions, you must
manually submit a certificate renewal request before the current certificate expires.
In auto request mode, a PKI entity automatically submits a certificate request to the CA when an
application works with the PKI entity that does not have a local certificate. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
entity automatically submits a certificate request. It saves the certificate locally after obtaining it from the
CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI
domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
To configure automatic certificate request:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Set the certificate request
mode to auto.
certificate request mode auto [ password
{ cipher | simple } password ]
By default, the manual
request mode applies.
In auto request mode, set a
password for certificate
revocation as required by
the CA policy.
Manually requesting a certificate
Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is
specified for the PKI domain:
• The CA certificate is used to verify the authenticity and validity of the obtained local certificate.
• The key pair is used for certificate request. Upon receiving the public key and the identity
information, the CA signs and issues a certificate.
After the CA issues the certificate, the device obtains and saves it locally.
To manually request a certificate:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Set the certificate request
mode to manual.
certificate request mode manual
By default, the manual request
mode applies.
To Next Page
Loading...
Need help?
General