Submitting A Certificate Request In Manual Mode - HP 5120 SI Series Security Configuration Manual

Submitting a certificate request in manual mode

In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local
certificate request for an entity.
The goal of retrieving a CA certificate will verify the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key
and a private key. The private key is kept by the user, and the public key is transferred to the CA along
with some other information. For more information about RSA key pair configuration, see the Security
Configuration Guide.
Follow these steps to submit a certificate request in manual mode:
To do...
Enter system view
Enter PKI domain view
Set the certificate request mode to
manual
Return to system view
Retrieve a CA certificate manually
Generate a local RSA key pair
Submit a local certificate request
manually
NOTE:
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
•
between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and
then issue the public-key local create command. For more information about the public-key local
create command, see the
A newly created key pair will overwrite the existing one. If you perform the public-key local create
•
command in the presence of a local RSA key pair, the system will ask you whether you want to overwrite
the existing one.
If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps
•
avoid inconsistency between the certificate and the registration information resulting from configuration
changes. Before requesting a new certificate, use the pki delete-certificate command to delete the
existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, save the request information by
•
using the pki request-certificate domain command with the pkcs10 and filename keywords, and then
send the file to the CA by an out-of-band means.
Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
•
certificate will be abnormal.
• The pki request-certificate domain configuration will not be saved in the configuration file.
Use the command...
system-view
pki domain domain-name
certificate request mode manual
quit
See "Retrieving a certificate
manually"
public-key local create rsa
pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]
Security Command Reference
227
Remarks
—
—
Optional
Manual by default
—
"Required
Required
No local RSA key pair exists by
default.
Required
.