Submitting A Certificate Request In Auto Mode; Submitting A Certificate Request In Manual Mode - HP 6125G Configuration Manual
Security configuration guide
Hide thumbs
Also See for 6125G:
- Command reference manual (426 pages) ,
- Configuration manual (379 pages) ,
- Release note (60 pages)
Table of Contents
Advertisement
An online certificate request can be submitted in manual mode or auto mode.
Submitting a certificate request in auto mode
IMPORTANT:
In auto mode, an entity does not automatically re-request a certificate to replace a certificate that is
expiring or has expired. After the certificate expires, the service using the certificate might be interrupted.
In auto mode, an entity automatically requests a certificate from the CA server through SCEP if it has no
local certificate for an application working with PKI, and then retrieves the certificate and saves the
certificate locally. Before requesting a certificate, if the PKI domain does not have the CA certificate yet,
the entity automatically retrieves the CA certificate.
To configure an entity to submit a certificate request in auto mode:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate request
mode to auto.
Submitting a certificate request in manual mode
In manual mode, you must submit a local certificate request for an entity. Before the request, you must
retrieve a CA certificate or generate a key pair for the PKI domain if the domain do not have the CA
certificate or the key pair.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating a key pair is an important step in certificate request. The key pair includes a public key and
a private key. The private key is kept by the user. The public key is transferred to the CA along with some
other information. For more information about RSA key pair configuration, see
Configuration guidelines
If a PKI domain already has a local certificate, creating an RSA key pair might result in
•
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the
local certificate and then execute the public-key local create command (see Security Command
Reference).
•
A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
If a PKI domain already has a local certificate, you cannot request another certificate for it. This
•
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you can print the request
•
information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki
Command
system-view
pki domain domain-name
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
162
Remarks
N/A
N/A
Manual by default
"Managing public
keys."
Advertisement
Table of Contents
Troubleshooting
