H3C Technologies H3C WX6000 Series Access Controllers User Manual

68-8

Generating an RSA key pair is an important step in certificate request. The key pair includes a public
key and a private key. The private key is kept by the user, while the public key is transferred to the CA
along with some other information. For detailed information about RSA key pair configuration, refer to

SSH

in H3C WX6103 Access Controller Switch Interface Board Configuration Guide.

Follow these steps to submit a certificate request in manual mode:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter PKI domain view

pki domain

domain-name —

Set the certificate request mode to
manual

certificate request mode manual

Optional
Manual by default

Return to system view

quit

—

Retrieve a CA certificate manually

Refer to

Retrieving a Certificate

Manually

Required

Generate a local RSA key pair

public-key local create rsa

Required
No local RSA key pair exists by
default.

Submit a local certificate request

pki request-certificate domain
domain-name

[ password ]

[ pkcs10 [ filename filename ] ]

Required

z

If a PKI domain has already a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and certificate. To generate a new RSA key pair, delete the local certificate
and then issue the public-key local create rsa command.

z

A newly created key pair will overwrite the existing one. If you perform the public-key local create

rsa

command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.

z

If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to
avoid inconsistency between the certificate and the enrollment information resulting from
configuration changes. To request a new certificate, use the pki delete-certificate command to
delete the existing local certificate and the CA certificate stored locally.

z

When it is impossible to request a certificate from the CA through SCEP, you can save the request
information by using the pki request-certificate domain command with the pkcs10 and filename
keywords, and then send the file to the CA by an out-of-band means.

z

Make sure the clocks of an entity and the CA are synchronous. Otherwise, the validity period of the
certificate may be abnormal.

z

The pki request-certificate domain configuration will not be saved in the configuration file.