R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

221

222

223

224

225

226

227

228

229

230

210

Ste

Command

Remarks

3. Set the certificate request mode

to auto.

certificate request mode auto [ password

{ cipher | simple } password ]

By default, the manual

request mode applies.

In auto request mode, set a

password for certificate

revocation if the CA policy

requires the password.

Manually requesting a certificate

IMPORTANT:

Before you manually request a certificate, make sure the system time of the device is synchronized with the

CA server. Otherwise, the device mi

ht fail to request the certificate because it re

ards the certificate ou

of the validity period. For information about how to change the system time, see

Fundamentals

Configuration Guide

Before you manually submit a certificate request, make sure the CA certificate exists and a key pair is

specified for the PKI domain:

• The CA certificate is used to verify the authenticity and validity of the obtained local certificate.

• The key pair is used for certificate request. Upon receiving the public key and the identity

information, the CA signs and issues a certificate.

After the CA issues the certificate, the device obtains and saves it locally.

Configuration guidelines

• A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA or

RSA). If DSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain

can have one local certificate for signature, and one for encryption.

• If a local certificate exists, do not request a certificate that conflicts with the existing one in online

mode, or use the public-key local create or public-key local destroy command to generate or

destroy a key pair with the same name as the key pair in the existing local certificate. Otherwise,

the existing local certificate becomes unavailable. To request a new local certificate, use the pki

delete-certificate command to remove the existing local certificate and then use the public-key local

create or public-key local destroy command to generate a new key pair or destroy the key pair

associated with the original local certificate.

Configuration procedure

To manually request a certificate:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. Set the certificate request

mode to manual.

certificate request mode manual

By default, the manual request

mode applies.

4. Return to system view.

quit N/A

5. Obtain the CA certificate.

See "Obtaining certificates." N/A