R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

101

102

103

104

105

106

107

108

109

110

Submitting a certificate request in manual mode

In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local

certificate request for an entity.

The goal of retrieving a CA certificate is to verify the authenticity and validity of a local certificate.

Generating an RSA key pair is an important step in certificate request. The key pair includes a public key

and a private key. The private key is kept by the user, while the public key is transferred to the CA along

with some other information. For more information about RSA key pair configuration, see the chapter

“Public key configuration.”

Follow these steps to submit a certificate request in manual mode:

To do… Use the command…

Remarks

Enter system view system-view —

Enter PKI domain view pki domain domain-name —

Set the certificate request mode to

manual

certificate request mode manual

Optional

Manual by default

Return to system view quit —

Retrieve a CA certificate manually

See “Retrieving a certificate

manually”

Required

Generate a local RSA key pair public-key local create rsa

Required

No local RSA or ECDSA key pair

exists by default.

Submit a local certificate request

manually

pki request-certificate domain

domain-name [ password ]

[ pkcs10 [ filename filename ] ]

Required

NOTE:

• If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency

between the key pair and the certificate. To

enerate a new RSA key pair, delete the local certificate and

then issue the public-key local create command.

• A newly created key pair will overwrite the existing one. If you perform the public-key local create

command in the presence of a local RSA key pair, the system will ask you whether you want to overwrite

the existing one.

• If a PKI domain has already a local certificate, you cannot request another certificate for it. This is to

avoid inconsistency between the certificate and the registration information resulting from confi

uration

changes. To request a new certificate, use the pki delete-certificate command to delete the existin

local

certificate and the CA certificate stored locally.

• When it is impossible to request a certificate from the CA through SCEP, you can save the request

information by using the pki request-certificate domain command with the pkcs10 and filename

keywords, and then send the file to the CA by an out-of-band means.

• Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the

certificate will be abnormal.

• The pki request-certificate domain configuration will not be saved in the configuration file.