Submitting A Certificate Request In Manual Mode - 3Com MSR 50 Series Configuration Manual

1836 C 97: PKI C
HAPTER ONFIGURATION
Submitting a Certificate
Request in Manual
Mode
n
In manual mode, you need to retrieve a CA certificate, generate a local RSA key
pair and submit a local certificate request for an entity.
The goal of retrieving a CA certificate is to verify the authenticity and validity of a
local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair
includes a public key and a private key. The private key is held by the user, while
the public key is transferred to the CA along with some other information.
For detailed information about RSA key pair configuration, refer to
RSA and DSA Keys" on page
Follow these steps to submit a certificate request in manual mode:
To do...
Enter system view
Enter PKI domain view
Set the certificate request
mode to manual
Return to system view
Retrieve a CA certificate
manually
Generate a local RSA key pair public-key local create rsa
Submit a local certificate
request
If a PKI domain has already a local certificate, creating an RSA key pair will
■
result in inconsistency between the key pair and certificate. To generate a new
RSA key pair, delete the local certificate and then issue the public-key local
create rsa command.
A newly created key pair will overwrite the existing one. If you perform the
■
public-key local create rsa command in the presence of a local RSA key pair,
the system will ask you whether you want to overwrite the existing one.
If a PKI domain has already a local certificate, you cannot request another
■
certificate for it. This is to avoid inconsistency between the certificate and the
enrollment information resulting from configuration changes. To request a new
certificate, use the pki delete-certificate command to delete the existing local
certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you
■
can save the request information by using the pki request-certificate
domain command with the pkcs10 and filename keywords, and then send
the file to the CA by an out-of-band means.
Make sure the clocks of an entity and the CA are synchronous. Otherwise, the
■
validity period of the certificate may be abnormal.
1924.
Use the command...
system-view
pki domain domain-name
certificate request mode manual Optional
quit
Refer to "Retrieving a Certificate
Manually" on page 1837
pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]
"Configuring
Remarks
-
-
Manual mode is adopted
by default
-
Required
Required
No local RSA key pair
exists by default.
Required