Submitting a pki certificate request, Submitting a certificate request in auto mode, Submitting a certificate request in manual mode – H3C Technologies H3C SecPath F1000-E User Manual

308

Submitting a PKI certificate request

When requesting a certificate, an entity introduces itself to the CA by providing its identity information

and public key, which will be the major components of the certificate. A certificate request can be

submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.

Submitting a certificate request in auto mode

In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate

for an application working with PKI. For example, when PKI certificate authentication is used, if no local
certificate is available during IKE negotiation, the entity automatically requests one.
To configure an entity to submit a certificate request in auto mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Set the certificate request

mode to auto.

certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *

Manual by default

NOTE:

If a certificate will expire or has expired, the entity does not initiate a re-request automatically, and the
service using the certificate might be interrupted. To have a new local certificate, request one manually.

Submitting a certificate request in manual mode

In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local

certificate request for an entity.
The goal of retrieving a CA certificate will verify the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key

and a private key. The private key is kept by the user. The public key is transferred to the CA along with

some other information. For more information about RSA key pair configuration, see "Managing public

keys."
Follow these guidelines to request a certificate in manual mode:

•

If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate

and then issue the public-key local create command.

•

A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.

•

If a PKI domain already has a local certificate, you cannot request another certificate for it. This

helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command

to delete the existing local certificate and the CA certificate stored locally.