Requesting A Certificate; Configuring Automatic Certificate Request - HP VSR1000 Security Configuration Manual

Step
11. (Optional.) Specify the
extended application
of the certificate.
12. Specify the source IP
address for the PKI
protocol packets.

Requesting a certificate

To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
Offline mode—A certificate request is submitted by an out-of-band means, such as phone, disk, or
•
email. You can use this mode as required or if you fail to request a certificate in online mode.
To submit a certificate request in offline mode:
a. Use pki request-certificate domain pkcs10 to print the request information on the terminal or
use pki request-certificate domain pkcs10 filename to save the request information to a local
file.
b. Send the printed information or the saved file to the CA by an out-of-band means to submit the
request.
Online mode—A certificate request can be automatically or manually submitted. The following
•
sections describe the online request mode.

Configuring automatic certificate request

IMPORTANT:
If an automatically requested certificate will soon expire or has expired, the entity does not initiate a
re-request to the CA automatically, and the applications using the certificate might be interrupted.
In auto request mode, a PKI entity automatically submits a certificate request to the CA when an
application works with the PKI entity that does not have a local certificate. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
Command
usage { ike | ssl-client | ssl-server } *
•
Specify the source IPv4 address for the
PKI protocol packets:
source ip { ip-address | interface
{interface-type interface-number }
•
Specify the source IPv6 address for the
PKI protocol packets:
source ipv6 { ipv6-address | interface
{ interface-type interface-number }}
139
Remarks
By default, the certificate is for all
extended applications, including
IKE, SSL clients, and SSL server.
The extension of a certificate
depends on the certificate user,
and it is not limited by PKI.
The extension options contained in
an issued certificate depend on the
CA policy, and they might be
different from those specified in the
PKI domain.
Required if the CA policy defines
the CA server to accept requests
from a specific IP address or
subnet.
Use one of the commands.
By default, the source IP address is
the outgoing interface IP address of
the route to the CA.