Table of Contents
Advertisement
the "Subject" portion of an X.509 certificate must be configured. Some fields may be fixed/required by
the specific SCEP server.
The CA fingerprint on the MCR should contain only alpha-numeric characters without spaces or
separators (i.e. commas, colons etc.).
> set pki cert-info certificate-info predefined_cert_info
Possible completions:
common-name-x509 -
country-x509
locale-x509
org-unit-x509
organization-x509 -
pkcs9-email-x509 -
state-x509
The parameters that must be entered for the client certificate information must again be obtained from the
System Administration or Security personnel. The common name will always be required. Other
parameters may be required.
Here is an example:
> set pki cert-info certificate-info predefined_cert_info organization-x509 "GE MDS LLC" org-
unit-x509 Engineering common-name-x509 00102200000102030411223344556670
Obtaining a New Certificate
To obtain a new client certificate from a SCEP server, the first step is to request the CA certificate from
the SCEP server.
> request pki ca-certs import cert-identity scep_ca_cert scep {
ca-issuer-identity predefined_ca_server cert-server-identity predefined_cert_server }
The next step is to request the new client certificate from the SCEP server.
> request pki client-certs import cert-identity scep_client_cert scep {
cert-server-identity predefined_cert_server ca-issuer-identity predefined_ca_server cert-info-
identity predefined_cert_info ca-cert-identity scep_ca_cert private-key-identity
imported_key_2048 ca-challenge 36DE2A1E53BECF9AE5BB3E0B12D4C85E }
Renewing an Existing Certificate
At some point, the dates on the certificate will need to be renewed due to time or security policy. A client
certificate can be renewed using the existing certificate with the same key as originally used when it was
generated. An alternative is to provide a new key and identify for the certificate that is to be renewed and
rekeyed.
The following example shows how to new an existing client certificate from the SCEP server:
> request pki client-certs import cert-identity renewed_scep_client_cert scep { cert-server-
identity predefined_cert_server ca-issuer-identity predefined_ca_server cert-info-identity
predefined_cert_info ca-cert-identity scep_ca_cert private-key-identity imported_key_2048
existing-cert-identity scep_client_cert existing-private-key-identity imported_key_2048 }
MDS 05-6632A01, Rev. F
-
-
-
-
MDS Orbit MCR/ECR Technical Manual
379
Advertisement
Table of Contents
Troubleshooting
