R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

231

232

233

234

235

236

237

238

239

240

225

• If a PKI domain already has a local certificate, you cannot request another certificate for it. This

helps avoid inconsistency between the certificate and the registration information resulting from

configuration changes. Before requesting a new certificate, use the pki delete-certificate command

to delete the existing local certificate and the CA certificate stored locally.

• When it is impossible to request a certificate from the CA through SCEP, you can print the request

information or save the request information to a local file, and then send the printed information or

saved file to the CA by an out-of-band means. To print the request information, use the pki

request-certificate domain command with the pkcs10 keyword. To save the request information to

a local file, use the pki request-certificate domain command with the pkcs10 filename filename

option.

• Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the

certificate will be abnormal.

• In FIPS mode, MD5 certificates cannot be imported.

Configuration procedure

To manually requesting a certificate:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. Set the certificate request

mode to manual.

certificate request mode manual

Optional.

Manual by default.

4. Return to system view.

quit N/A

5. Obtain a CA certificate

manually.

See "Obtaining certificates" N/

6. Generate a local RSA key

pair.

public-key local create rsa

No local RSA key pair exists by

default.

In FIPS mode, the RSA key pair

length is fixed to 2048 bits.

7. Submit a local certificate

request manually.

pki request-certificate domain

domain-name [ password ]

[ pkcs10 [ filename filename ] ]

N/A

This command is not saved in the

configuration file.

Obtaining certificates

You can download CA certificates or local certificates from the CA server and save them locally. To do

so, use either the offline mode or the online mode. In offline mode, you must obtain a certificate by an

out-of-band means like FTP, disk, or email, and then import it into the local PKI system.

Certificate retrieval serves the following purposes:

• Locally store the certificates associated with the local security domain for improved query efficiency

and reduced query count.

• Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.