Configuring automatic certificate request
IMPORTANT:
The device does not support automatic certificate rollover. To avoid service interruptions, you must
manually submit a certificate renewal request before the current certificate expires.
In auto request mode, a PKI entity automatically submits a certificate request to the CA when an
application works with the PKI entity that does not have a local certificate. For example, when IKE
negotiation uses a digital signature for identity authentication, but no local certificate is available, the
entity automatically submits a certificate request. It saves the certificate locally after obtaining it from
the CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the
PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
To configure automatic certificate request:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate request
mode to auto.
Manually requesting a certificate
Before you manually submit a certificate request, make sure the CA certificate exists and a key pair
is specified for the PKI domain:
•
The CA certificate is used to verify the authenticity and validity of the obtained local certificate.
•
The key pair is used for certificate request. Upon receiving the public key and the identity
information, the CA signs and issues a certificate.
After the CA issues the certificate, the device obtains and saves it locally.
To manually request a certificate:
Step
1.
Enter system view.
2.
Enter PKI domain view.
3.
Set the certificate
request mode to
manual.
4.
Return to system view.
5.
Obtain the CA
certificate.
6.
Submit a certificate
request or generate a
certificate request in
PKCS#10 format.
Command
system-view
pki domain domain-name
certificate request mode auto
[ password { cipher | simple }
password ]
Command
system-view
pki domain domain-name
certificate request mode manual
quit
See
"Obtaining
certificates."
pki request-certificate domain
domain-name [ password password ]
[ pkcs10 [ filename filename ] ]
232
Remarks
N/A
N/A
By default, the manual
request mode applies.
In auto request mode, set
a password for certificate
revocation as required by
the CA policy.
Remarks
N/A
N/A
By default, the manual request
mode applies.
N/A
N/A
This command is not saved in
the configuration file.
This command triggers the PKI
entity to automatically generate