Submitting a certificate request in manual mode
In manual mode, you must submit a local certificate request for an entity. Before the request, you must retrieve a CA certificate or generate a key pair for the PKI domain if the domain do not have the CA certificate or the key pair.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating a key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user. The public key is transferred to the CA along with some other information. For more information about RSA key pair configuration, see "Managing public keys."
Configuration guidelines
If a PKI domain already has a local certificate, creating an RSA key pair might result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then execute the public-key local create command (see Security Command Reference).
A newly created key pair will overwrite the existing one. If you perform the public-key local create command in the presence of a local RSA key pair, the system will ask you whether you want to overwrite the existing one.
If a PKI domain already has a local certificate, you cannot request another certificate for it. This helps avoid inconsistency between the certificate and the registration information resulting from configuration changes. Before requesting a new certificate, use the pki delete-certificate command to delete the existing local certificate and the CA certificate stored locally.
When it is impossible to request a certificate from the CA through SCEP, you can print the request information or save the request information to a local file, and then send the printed information or saved file to the CA by an out-of-band means. To print the request information, use the pki request-certificate domain command with the pkcs10 keyword. To save the request information to a local file, use the pki request-certificate domain command with the pkcs10 filename filename option.
Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of the certificate will be abnormal.
The configuration made by the pki request-certificate domain command is not saved in the configuration file.
Configuration procedure
To submit a certificate request in manual mode:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter PKI domain view. | pki domain domain-name | N/A |
3. Set the certificate request mode to manual. | certificate request mode manual | Optional. Manual by default. |
4. Return to system view. | quit | N/A |
5. Retrieve a CA certificate manually. | N/A | |
6. Generate a local RSA key pair. | public-key local create rsa | No local RSA key pair exists by default. |
7. Submit a local certificate request manually. | pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ] | N/A |