R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

231

232

233

234

235

236

237

238

239

240

224

Requesting a certificate

When requesting a certificate, an entity introduces itself to the CA by providing its identity information

and public key, which will be the major components of the certificate. A certificate request can be

submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to

a CA by an "out-of-band" means such as phone, disk, or email.

Online certificate request can be initiated in manual mode or auto mode

Configuring automatic certificate request

In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate

for an application working with PKI. For example, when PKI certificate authentication is used, if no local

certificate is available during IKE negotiation, the entity automatically requests one, and saves the local

certificate after retrieving it from the CA. If the PKI domain has no CA certificate before the entity submits

the certificate request, the entity automatically obtains the CA certificate first.

If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request

to the CA automatically, and the services using the certificate might be interrupted.

To configure automatic certificate request:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. Set the certificate request

mode to auto.

certificate request mode auto

[ key-length key-length | password

{ cipher | simple } password ] *

Manual by default.

Manually requesting a certificate

In manual mode, you must submit a local certificate request for an entity. Before the request, you must

obtain a CA certificate and generate a key pair for the PKI domain.

The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.

Generating a key pair is an important step in certificate request. The key pair includes a public key and

a private key. The private key is kept by the user. The public key is transferred to the CA along with some

other information. For more information about RSA key pair configuration, see "Managing public keys."

Configuration guidelines

• If a PKI domain already has a local certificate, creating an RSA key pair might result in

inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the

local certificate and then execute the public-key local create command. For more information about

the public-key local create command, see Security Command Reference.

• A newly created key pair will overwrite the existing one. If you perform the public-key local create

command in the presence of a local RSA key pair, the system will ask you whether you want to

overwrite the existing one.