3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
196 CHAPTER 12: PKI CONFIGURATION
Configuring Certificate
Request Mode
Request mode can be manual or auto. Auto mode enables the automatic request
for a certificate through SCEP when there is none and for a new one when the old
one is about to expire. For manual mode, all the related operations need to be
carried out manually.
Perform the following configuration in PKI domain view.
By default, manual mode is selected.
Delivering a Certificate
Request Manually
A certificate request completes with user public key and other registered
information. When all the configuration above is completed, you can deliver the
certificate request to a PKI RA.
Perform the following configuration in any view.
c
CAUTION:
■ If a local certificate already exists, you should delete it and all the CA
certificates locally stored using the pki delete certificate command first
before applying for another one. Otherwise, inconsistency between the
certificate and registered information may occur.
■ If you cannot send certificate request to CA using SCEP, you can select the pem
keyword to print out the request information, copy it and send one to CA in
out-of-band mode.
■ Before you deliver the certificate request, make sure the clocks of entity and
CA are synchronous. Otherwise, fault occurs to the certificate validation period.
■ If you use Windows CA server to obtain a certificate, the RA identifier (also
known as DN-distinguished name) and the CA identifier must be different
when you install Windows CA server; otherwise, no CA certificate or local
certificate will be obtained.
■ This operation will not be saved in the configuration.
Retrieving a Certificate
Manually
Certificate retrieval serves for two purposes: store locally the certificates related to
local security domain to improve the query efficiency and reduce the times of
query request for PKI repository; prepare for the certificate validation.
Tabl e 203 Configure certificate request mode
Operation Command
Configure certificate request mode
certificate request mode { manual | auto [
key-length key-length | password { simple |
cipher } password ]* }
Restore the default request mode undo certificate request mode
Tabl e 204 Deliver a certificate request
Operation Command
Deliver a certificate request
pki request-certificate domain
domain-name [ password ] [ pkcs10 [
filename filename ] ]