Aborting A Certificate Request; Obtaining Certificates; Configuration Prerequisites; Configuration Guidelines - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
Aborting a certificate request
Before the CA issues a certificate, you can abort a certificate request to change some parameters, such
as the common name, country code, and FQDN, in the certificate request. You can use display pki
certificate request-status to display the certificate request status.
Alternatively, you can also remove a PKI domain to abort the certificate request.
To abort a certificate request:
Step
1.
Enter system view.
2.
Abort a certificate request.
Obtaining certificates
You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from
a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the
online mode:
•
In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and then
import them locally. This mode is suitable for the scenario where the CRL repository is not specified,
the CA server does not support SCEP, or the CA server generates the key pair for the certificates.
In online mode, you can obtain the CA certificate through SCEP and obtain local certificates or
•
peer certificates through LDAP.
Configuration prerequisites
Before you obtain local or peer certificates in online mode, specify the LDAP server for the PKI domain.
Before you obtain local or peer certificates in offline mode, complete the following tasks:
Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
•
available, display and copy the certificate contents to a file. Make sure the certificate is in PEM
format because certificates only in PEM format can be imported by this means.
To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be
•
carried in the local or peer certificate. If the CA certificate chain is not available, obtain it first.
Configuration guidelines
To import a local certificate containing an encrypted key pair, you must provide the challenge
•
password. Contact the CA administrator to obtain the password.
•
If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a new
one, use pki delete-certificate to remove the CA certificate and local certificates first.
If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite
•
the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and
the other for encryption.
Command
system-view
pki abort-certificate-request
domain domain-name
194
Remarks
N/A
This command is not saved in the
configuration file.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
