R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
303
NOTE:
• Up to two PKI domains can be created on a device.
• The CA name is required only when you retrieve a CA certificate. It is not used when in local certificate
request.
• The URL of the server for certificate request does not support domain name resolution.
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
Submitting a certificate request in auto mode
In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate
for an application working with PKI. For example, when PKI certificate authentication is used, if no local
certificate is available during IKE negotiation, the entity automatically requests one.
To configure an entity to submit a certificate request in auto mode:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Set the certificate request
mode to auto.
certificate request mode auto [ key-length key-length |
password { cipher | simple } password ] *
Manual by
default.
NOTE:
If a certificate will expire or has expired, the entity does not initiate a re-request automatically, and the
service using the certificate might be interrupted. To have a new local certificate, request one manually.
Submitting a certificate request in manual mode
In manual mode, you need to retrieve a CA certificate, generate a local RSA key pair, and submit a local
certificate request for an entity.
The goal of retrieving a CA certificate will verify the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key
and a private key. The private key is kept by the user. The public key is transferred to the CA along with
some other information. For more information about RSA key pair configuration, see " Managing Public
keys."
Configuratio guidelines
• If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency
between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate
and then issue the public-key local create command.