Requesting A Certificate; Configuring Automatic Certificate Request; Manually Requesting A Certificate - HP 6600 Security Configuration Manual
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
Requesting a certificate
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request can be initiated in manual mode or auto mode
Configuring automatic certificate request
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate
for an application working with PKI. For example, when PKI certificate authentication is used, if no local
certificate is available during IKE negotiation, the entity automatically requests one, and saves the local
certificate after retrieving it from the CA. If the PKI domain has no CA certificate before the entity submits
the certificate request, the entity automatically obtains the CA certificate first.
If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request
to the CA automatically, and the services using the certificate might be interrupted.
To configure automatic certificate request:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate request
mode to auto.
Manually requesting a certificate
In manual mode, you must submit a local certificate request for an entity. Before the request, you must
obtain a CA certificate and generate a key pair for the PKI domain.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating a key pair is an important step in certificate request. The key pair includes a public key and
a private key. The private key is kept by the user. The public key is transferred to the CA along with some
other information. For more information about RSA key pair configuration, see "Managing public keys."
Configuration guidelines
•
If a PKI domain already has a local certificate, creating an RSA key pair might result in
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the
local certificate and then execute the public-key local create command. For more information about
the public-key local create command, see Security Command Reference.
A newly created key pair will overwrite the existing one. If you perform the public-key local create
•
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
Command
system-view
pki domain domain-name
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
232
Remarks
N/A
N/A
Manual by default.
Advertisement
Table of Contents
Troubleshooting
