Retrieving A Certificate Manually - 3Com 4500G Family Configuration Manual

To do...
Enter system view
Enter PKI domain view
Set the certificate request mode to
manual
Return to system view
Retrieve a CA certificate manually
Generate a local RSA key pair
Submit a local certificate request
manually
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local
certificate and then issue the public-key local create command. For information about the
public-key local create command, refer to Public Key Commands in the Security Volume.
A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to
avoid inconsistency between the certificate and the registration information resulting from
configuration changes. To request a new certificate, use the pki delete-certificate command to
delete the existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you can save the request
information by using the pki request-certificate domain command with the pkcs10 and filename
keywords, and then send the file to the CA by an out-of-band means.
Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the
certificate will be abnormal.
The pki request-certificate domain configuration will not be saved in the configuration file.

Retrieving a Certificate Manually

You can download an existing CA certificate, local certificate, or peer entity certificate from the CA
server and save it locally. To do so, you can use two ways: online and offline. In offline mode, you need
to retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then import it into the local
PKI system.
Certificate retrieval serves two purposes:
Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count,
Use the command...
system-view
pki domain domain-name
certificate request mode manual
quit
Refer to Retrieving a Certificate
Manually
public-key local create rsa
pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]
1-8
Remarks
—
—
Optional
Manual by default
—
Required
Required
No local RSA key pair exists by
default.
Required