R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

261

262

263

264

265

266

267

268

269

270

253

Ste

Command

Remarks

3. Set the certificate request

mode to auto.

certificate request mode auto

[ key-length key-length | password

{ cipher | simple } password |

before-expire num-days

[ regenerate ] ] *

By default, the manual request

mode applies.

Specify the num-days argument in

the command to enable an entity to

request a new certificate the

specified number of days before

the current certificate expires.

If the before-expire keyword is

specified but the regenerate

keyword is not specified, an entity

uses the old RSA key pair for

certificate renewal request.

If both the before-expire and

regenerate keywords are

specified, an entity generates a

new RSA key pair each time it

submits a certificate renewal

request. The new RSA key pair

overwrites the old one, which

might interrupt other services that

are using the old RSA key pair.

Therefore, HP recommends that

you use the public-key rsa general

name command to designate a

specific RSA key pair for this

purpose.

4. Specify an RSA key pair for

certificate request.

public-key rsa general name

key-name

Optional.

In auto request mode, when an

entity is triggered to submit a

certificate request, the entity

automatically generates an RSA

key pair with the specified name.

Manually requesting a certificate

In manual mode, you must submit a local certificate request for an entity. Before the request, you must

retrieve a CA certificate and generate a key pair for the PKI domain.

The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.

Generating a key pair is an important step in certificate request. The key pair includes a public key and

a private key. The private key is kept by the user. The public key is transferred to the CA along with some

other information. For more information about RSA key pair configuration, see "Managing public keys."

Configuration guidelines

• If a PKI domain already has a local certificate, creating an RSA key pair might result in

inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the

local certificate and then execute the public-key local create command. For more information about

the public-key local create command, see Security Command Reference.