R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

221

222

223

224

225

226

227

228

229

230

209

Requesting a certificate

To request a certificate, a PKI entity must provide its identity information and public key to a CA.

A certificate request can be submitted to a CA in offline or online mode.

• Offline mode—A certificate request is submitted by using an out-of-band method, such as phone,

disk, or email. You can use this mode as required or if you fail to request a certificate in online

mode.

To submit a certificate request in offline mode:

a. Use pki request-certificate domain pkcs10 to print the request information on the terminal or

use pki request-certificate domain pkcs10 filename to save the request information to a local

file.

b. Send the printed information or the saved file to the CA by using an out-of-band method to

submit the request.

• Online mode—A certificate request can be automatically or manually submitted. This section

describes the online request mode.

Configuring automatic certificate request

IMPORTANT:

If an automatically requested certificate will soon expire or has expired, the entity does not initiate a

re-request to the CA automatically, and the applications using the certificate might be interrupted.

In auto request mode, a PKI entity automatically submits a certificate request to the CA when an

application works with the PKI entity that does not have a local certificate. For example, when IKE

negotiation uses a digital signature for identity authentication, but no local certificate is available, the

entity automatically submits a certificate request and saves the certificate locally after obtaining it from

the CA.

A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI

domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.

Configuration guidelines

• Make sure the system time is synchronized with the CA server. Otherwise, the certificate request

process might fail because the certificate might be regarded out of the validity period. For

information about how to change the system time, see Fundamentals Configuration Guide.

• If a local certificate exists, do not use the public-key local create or public-key local destroy

command to generate or destroy a key pair with the same name as the key pair in the existing local

certificate. Otherwise, the existing local certificate becomes unavailable. To request a new local

certificate, use the pki delete-certificate command to remove the existing local certificate, and then

use the public-key local create or public-key local destroy command to generate a new key pair or

destroy the key pair associated with the original local certificate.

Configuration procedure

To configure automatic certificate request:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A