Aborting A Certificate Request; Obtaining Certificates; Configuration Prerequisites; Configuration Guidelines - HPE FlexNetwork 7500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 7500 Series:
- Security configuration manual (597 pages) ,
- Command reference manual (474 pages) ,
- Network management and monitoring command reference (430 pages)
Table of Contents
Advertisement
Step
Aborting a certificate request
Before the CA issues a certificate, you can abort a certificate request and change its parameters,
such as the common name, country code, or FQDN. You can use the display pki certificate
request-status command to display the status of a certificate request.
Alternatively, you also can remove a PKI domain to abort the associated certificate request.
To abort a certificate request:
Step
1.
Enter system view.
2.
Abort a certificate request.
Obtaining certificates
You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from
a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the
online mode:
•
In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and
then import them locally. Use this mode when the CRL repository is not specified, the CA server
does not support SCEP, or the CA server generates the key pair for the certificates.
•
In online mode, you can obtain the CA certificate through SCEP and obtain local certificates or
peer certificates through LDAP.
Configuration prerequisites
To obtain local or peer certificates in online mode, specify the LDAP server for the PKI domain.
To import local or peer certificates in offline mode, perform the following tasks:
•
Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or
TFTP is not available, display and copy the contents of a certificate to a file on the device. Make
sure the certificate is in PEM format because only certificates in PEM format can be imported.
•
To import a certificate, a CA certificate chain must exist in the PKI domain, or be contained in the
certificate. If the CA certificate chain is not available, obtain it before importing the certificate.
Configuration guidelines
•
To import a local certificate containing an encrypted key pair, you must provide the challenge
password. Contact the CA administrator to obtain the password.
•
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate
and local certificates first.
Command
Command
system-view
pki abort-certificate-request
domain domain-name
248
Remarks
algorithm, and length of the key
pair are configured in the PKI
domain.
Remarks
N/A
This command is not saved in the
configuration file.
Advertisement
Table of Contents
Troubleshooting
