Retrieving A Certificate Manually - HP 5120 EI Switch Series Configuration Manual

To do...
Generate a local RSA key pair
Submit a local certificate request
manually
NOTE:

If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the
key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the
public-key local create command. For more information about the public-key local create command, see the
Security Command Reference

A newly created key pair will overwrite the existing one. If you perform the public-key local create command in
the presence of a local RSA key pair, the system will ask you whether you want to overwrite the existing one.

If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid
inconsistency between the certificate and the registration information resulting from configuration changes.
Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate
and the CA certificate stored locally.

When it is impossible to request a certificate from the CA through SCEP, save the request information by using
the pki request-certificate domain command with the pkcs10 and filename keywords, and then send the file to
the CA by an out-of-band means.

Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate
will be abnormal.

The pki request-certificate domain configuration will not be saved in the configuration file.

Retrieving a certificate manually

You can download CA certificates and local certificates and save them locally. To do so, use either the
online mode or the offline mode. In offline mode, you must retrieve a certificate by an out-of-band means
like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves two purposes:
Locally store the certificates associated with the local security domain for improved query efficiency

and reduced query count
Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration.
Follow these steps to retrieve a certificate manually:
To do...
Enter system view
Retrieve a
certificate
manually
Use the command...
public-key local create rsa
pki request-certificate domain
domain-name [ password ] [
pkcs10 [ filename filename ] ]
.
Use the command...
system-view
pki retrieval-certificate { ca | local } domain
Online
domain-name
pki import-certificate { ca | local } domain
Offline domain-name { der | p12 | pem } [ filename
filename ]
Remarks
Required
No local RSA key pair exists by
default.
Required
194
Remarks
—
Required
Use either command.