Retrieving a certificate manually, Refer to, Retrieving a certificate – H3C Technologies H3C S5120 Series Switches User Manual

1-9

z

If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency

between the key pair and the certificate. To generate a new RSA key pair, delete the local

certificate and then issue the public-key local create command. For information about the

public-key local create command, refer to Public Key Commands.

z

A newly created key pair will overwrite the existing one. If you perform the public-key local create

command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.

z

If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to

avoid inconsistency between the certificate and the registration information resulting from

configuration changes. Before request a new certificate, use the pki delete-certificate command

to delete the existing local certificate and the CA certificate stored locally.

z

When it is impossible to request a certificate from the CA through SCEP, you can print the request

information or save the request information to a local file, and then send the printed information or

saved file to the CA by an out-of-band means. To print the request information, use the pki

request-certificate domain command with the pkcs10 keyword. To save the request information

to a local file, use the pki request-certificate domain command with the pkcs10 filename

filename keyword and argument combination.

z

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the

certificate will be abnormal.

z

The pki request-certificate domain configuration will not be saved in the configuration file.

Retrieving a Certificate Manually

You can download an existing CA certificate, or local certificate, from the CA server and save it locally.

To do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate by

an out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.

Certificate retrieval serves two purposes:

z

Locally store the certificates associated with the local security domain for improved query efficiency

and reduced query count,

z

Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.

Follow these steps to retrieve a certificate manually:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Online

pki retrieval-certificate { ca | local }
domain domain-name

Retrieve a
certificate
manually

Offline

pki import-certificate { ca | local }
domain domain-name { der | p12 | pem }
[ filename filename ]

Required

Use either
command.