Configuration guidelines
Before retrieving a local certificate in online mode, be sure to complete the LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first.
The configuration made by the pki retrieval-certificate configuration is not saved in the configuration file.
Make sure the switch's system time falls in the validity period of the certificate so that the certificate is valid.