Requesting a certificate manually – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 473

Advertising
background image

41-4

Auto: In auto mode, an entity automatically requests a certificate through the Simple Certification

Enrollment Protocol (SCEP) when it has no local certificate or the present certificate is about to

expire.

You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request

modes require different configurations:

Requesting a certificate manually

Perform the tasks in

Table 41-1

to request a certificate manually.

Table 41-1 Configuration task list for requesting a certificate manually

Task

Remarks

Creating a PKI Entity

Required

Create a PKI entity and configure the identity information.

A certificate is the binding of a public key and an entity, where an entity is the collection
of the identity information of a user. A CA identifies a certificate applicant by entity.

The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request may be rejected.

Creating a PKI
Domain

Required

Create a PKI domain, setting the certificate request mode to Manual.

Before requesting a PKI certificate, an entity needs to be configured with some
enrollment information, which is referred to as a PKI domain.

A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and has only local significance.

Generating an RSA
Key Pair

Required

Generate a local RSA key pair.

By default, no local RSA key pair exists.

Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is kept by the user, while the
public key is transferred to the CA along with some other information.

If there is already a local certificate, you need to remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair and the
local certificate.

Retrieving the CA
certificate

Required

Certificate retrieval serves two purposes:

Locally store the certificates associated with the local security domain for improved
query efficiency and reduced query count,

Prepare for certificate verification.

If there are already CA certificates locally, you cannot perform the CA certificate
retrieval operation. This is to avoid possible mismatch between certificates and
registration information resulting from relevant changes. To retrieve the CA certificate,
you need to remove the CA certificate and local certificate first.

Advertising
This manual is related to the following products:

H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module

Popular Brands
Popular manuals