4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

111

112

113

114

115

116

117

118

119

120

107

Manually requesting a certificate

IMPORTANT:

Before you manually request a certificate, make sure the system time of the device is synchronized with the

CA server. Otherwise, the device mi

ht fail to request the certificate because it re

ards the certificate ou

of the validity period. For information about how to change the system time, see

Fundamentals

Configuration Guide

Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is

specified for the PKI domain:

• The CA certificate is used to verify the authenticity and validity of the obtained local certificate.

• The key pair is used for certificate request. Upon receiving the public key and the identity

information, the CA signs and issues a certificate.

After the CA issues the certificate, the device obtains and saves it locally.

Configuration guidelines

• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA or

RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain

can have one local certificate for signature, and one for encryption.

• If a local certificate exists, do not request a certificate that conflicts with the existing one in online

mode, or use the public-key local create or public-key local destroy command to generate or

destroy a key pair with the same name as the key pair in the existing local certificate. Otherwise,

the existing local certificate becomes unavailable. To request a new local certificate, use the pki

delete-certificate command to remove the existing local certificate and then use the public-key local

create or public-key local destroy command to generate a new key pair or destroy the key pair

associated with the original local certificate.

Configuration procedure

To manually request a certificate:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. Set the certificate request

mode to manual.

certificate request mode manual

By default, the manual request

mode applies.

4. Return to system view.

quit N/A

5. Obtain the CA

certificate.

See "Obtaining certificates." N/A

6. Submit a certificate

request or generate a

certificate request in

PKCS#10 format.

pki request-certificate domain

domain-name [ password password ]

[ pkcs10 [ filename filename ] ]

This command is not saved in the

configuration file.

Executing the command triggers

the PKI entity to automatically

generate a key pair according to

the key name, algorithm and

length defined in the PKI domain

if the key pair specified in the PKI

domain does not exist.