R2511-HP MSR Router Series Security Configuration Guide(V5)
254
• A newly created key pair will overwrite the existing one. If you perform the public-key local create
command in the presence of a local RSA key pair, the system will ask you whether you want to
overwrite the existing one.
• If a PKI domain already has a local certificate, you cannot request another certificate for it. This
helps avoid inconsistency between the certificate and the registration information resulting from
configuration changes. Before requesting a new certificate, use the pki delete-certificate command
to delete the existing local certificate and the CA certificate stored locally.
• When it is impossible to request a certificate from the CA through SCEP, you can print the request
information or save the request information to a local file, and then send the printed information or
saved file to the CA by an out-of-band means. To print the request information, use the pki
request-certificate domain command with the pkcs10 keyword. To save the request information to
a local file, use the pki request-certificate domain command with the pkcs10 filename filename
option.
• Make sure the system time of the router is synchronized with the CA server. Otherwise, the router
might fail to request the certificate because wrong system time results in a wrong judgement on the
certificate's validity period.
• In FIPS mode, MD5 certificates cannot be imported.
Configuration procedure
To submit a certificate request in manual mode:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Set the certificate request
mode to manual.
certificate request mode manual
Optional.
Manual by default.
4. Return to system view.
quit N/A
5. Retrieve a CA certificate
manually.
See "Retrieving a certificate
manually"
N/A
6. Generate a local RSA key
pair.
public-key local create rsa
No local RSA key pair exists by
default.
In FIPS mode, the RSA key pair
length is 2048 bits.
7. Submit a local certificate
request manually.
pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]
N/A
This command is not saved in the
configuration file.
Retrieving a certificate manually
You can download CA certificates or local certificates from the CA server and save them locally. To do
so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an
out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:
• Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count.