Requesting A Certificate; Configuration Guidelines - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (597 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Step
12. (Optional.) Specify a
source IP address for
the PKI protocol
packets.
Requesting a certificate
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
•
Offline mode—A certificate request is submitted by using an out-of-band method, such as
phone, disk, or email. You can use this mode as required or if you fail to request a certificate in
online mode.
To submit a certificate request in offline mode:
a. Use pki request-certificate domain pkcs10 to print the request information on the
terminal or use pki request-certificate domain pkcs10 filename to save the request
information to a local file.
b. Send the printed information or the saved file to the CA by using an out-of-band method.
•
Online mode—A certificate request can be automatically or manually submitted. This section
describes the online request mode.
Configuration guidelines
The following guidelines apply to certificate request for an entity in a PKI domain:
•
Make sure the device is time synchronized with the CA server. Otherwise, the certificate request
might fail because the certificate is considered to be outside of the validity period. For
information about how to configure the system time, see Fundamentals Configuration Guide.
•
To request a new certificate for a PKI entity that already has a local certificate, perform the
following tasks:
a. Use the pki delete-certificate command to delete the existing local certificate.
b. Use the public-key local create to generate a new key pair. The new key pair will
automatically overwrite the old key pair in the domain.
c. Submit a new certificate request.
•
After a new certificate is obtained, do not use the public-key local create or public-key local
destroy command to generate or destroy a key pair with the same name as the key pair in the
local certificate. Otherwise, the existing local certificate becomes unavailable.
•
A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA,
ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If
RSA is used, a PKI domain can have one local certificate for signature, and one local certificate
for encryption.
Command
•
Specify the source IPv4 address for
the PKI protocol packets:
source ip { ip-address | interface
{interface-type interface-number }
•
Specify the source IPv6 address for
the PKI protocol packets:
source ipv6 { ipv6-address |
interface { interface-type
interface-number }}
246
Remarks
The device does not support the
ike keyword in the current
software version.
This task is required if the CA
policy requires that the CA server
accept certificate requests from a
specific IP address or subnet.
By default, the source IP address
of PKI protocol packets is the IP
address of their outgoing
interface.
Advertisement
Table of Contents
Troubleshooting
