The key pair is used for certificate request. Upon receiving the public key and the identity
•
information, the CA signs and issues a certificate.
After the CA issues the certificate, the device obtains and saves it locally.
Configuration guidelines
A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA,
•
ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA
is used, a PKI domain can have one local certificate for signature, and one for encryption.
If a local certificate exists, do not request a certificate that conflicts with the existing one in online
•
mode, or use the public-key local create or public-key local destroy command to generate or
destroy a key pair with the same name as the key pair in the existing local certificate. Otherwise,
the existing local certificate becomes unavailable. To request a new local certificate, use the pki
delete-certificate command to remove the existing local certificate and then use the public-key local
create or public-key local destroy command to generate a new key pair or destroy the key pair
associated with the original local certificate.
Configuration procedure
To manually request a certificate:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate request
mode to manual.
4.
Return to system view.
5.
Obtain the CA
certificate.
6.
Submit a certificate
request or generate a
certificate request in
PKCS#10 format.
Aborting a certificate request
Before the CA issues a certificate, you can abort a certificate request to change some parameters, such
as the common name, country code, and FQDN, in the certificate request. You can use display pki
certificate request-status to display the certificate request status.
Alternatively, you can also remove the PKI domain to abort the certificate request.
To abort a certificate request:
Command
system-view
pki domain domain-name
certificate request mode manual
quit
See
"Obtaining
certificates."
pki request-certificate domain
domain-name [ password password ]
[ pkcs10 [ filename filename ] ]
126
Remarks
N/A
N/A
By default, the manual request
mode applies.
N/A
N/A
This command is not saved in the
configuration file.
Executing the command triggers
the PKI entity to automatically
generate a key pair according to
the key name, algorithm and
length defined in the PKI domain
if the key pair specified in the PKI
domain does not exist.