R2511-HP MSR Router Series Security Configuration Guide(V5)
252
Requesting a PKI certificate
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which will be the major components of the certificate. A certificate request can be
submitted to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to
a CA by an "out-of-band" means such as phone, disk, or email.
Online certificate request falls into manual mode and auto mode.
Configuring automatic certificate request
In auto mode, an entity that does not have a local certificate automatically requests a certificate from the
CA server when an application works with the PKI entity. For example, when IKE negotiation uses a
digital signature for identity authentication, but no local certificate is available, the entity automatically
submits a certificate request and saves the certificate locally after obtaining it from the CA.
A CA certificate must already exist before you request a local certificate. If no CA certificate exists in the
PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
By default, if an automatically requested certificate will expire or has expired, the entity does not request
a new certificate from the CA automatically, and the services using the certificate might be interrupted.
If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request
to the CA automatically, and the services using the certificate might be interrupted.
To configure an entity to submit a certificate request in auto mode:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A