To submit a certificate request in offline mode:
a.
Use pki request-certificate domain pkcs10 to print the request information on the terminal or
use pki request-certificate domain pkcs10 filename to save the request information to a local
file.
b.
Send the printed information or the saved file to the CA by an out-of-band means to submit the
request.
Online mode—A certificate request can be automatically or manually submitted. The following
•
sections describe the online request mode.
Configuring automatic certificate request
IMPORTANT:
If an automatically requested certificate will soon expire or has expired, the entity does not initiate a
re-request to the CA automatically, and the applications using the certificate might be interrupted.
In auto request mode, a PKI entity automatically submits a certificate request to the CA when an
application works with the PKI entity that does not have a local certificate. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
entity automatically submits a certificate request and saves the certificate locally after obtaining it from
the CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI
domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
Configuration guidelines
Make sure the system time is synchronized with the CA server. Otherwise, the certificate request
•
process might fail because the certificate might be regarded out of the validity period. For
information about how to change the system time, see Fundamentals Configuration Guide.
If a local certificate exists, do not use the public-key local create or public-key local destroy
•
command to generate or destroy a key pair with the same name as the key pair in the existing local
certificate. Otherwise, the existing local certificate becomes unavailable. To request a new local
certificate, use the pki delete-certificate command to remove the existing local certificate, and then
use the public-key local create or public-key local destroy command to generate a new key pair or
destroy the key pair associated with the original local certificate.
Configuration procedure
To configure automatic certificate request:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate request
mode to auto.
Command
system-view
pki domain domain-name
certificate request mode auto [ password
{ cipher | simple } password ]
106
Remarks
N/A
N/A
By default, the manual
request mode applies.
In auto request mode, set a
password for certificate
revocation if the CA policy
requires the password.