HP VPN Firewall Appliances VPN Configuration Guide
292
Ste
p
Command
Remarks
5. Retrieve a CA certificate
manually.
See "Retrieving a certificate
manually"
N/A
6. Generate a local RSA key
pair.
public-key local create rsa
No local RSA key pair exists by
default.
7. Submit a local certificate
request manually.
pki request-certificate domain
domain-name [ password ]
[ pkcs10 [ filename filename ] ]
This command is not saved in the
configuration file.
NOTE:
In FIPS mode, you cannot import an MD5 certificate.
Retrieving a certificate manually
You can download CA certificates, local certificates, or peer entity certificates from the CA server and
save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must
retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI
system.
Certificate retrieval serves the following purposes:
• Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count.
• Prepare for certificate verification.
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted from
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete
the existing CA certificate and the local certificate first.
Be sure that the device system time falls in the validity period of the certificate so that the certificate is
valid.
To retrieve a certificate manually:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Retrieve a certificate
manually
• In online mode:
pki retrieval-certificate { ca | local } domain
domain-name
• In offline mode:
pki import-certificate { ca | local } domain
domain-name { der | p12 | pem } [ filename
filename ]
Use either command.
The pki
retrieval-certificate
configuration is not
saved in the
configuration file.