Retrieving a certificate manually

You can download CA certificates or local certificates from the CA server and save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system.

Certificate retrieval serves the following purposes:

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.

If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first.

Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.

To retrieve a certificate manually:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Retrieve a certificate manually

  • In online mode:pki retrieval-certificate { ca | local } domain domain-name

  • In offline mode:pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]

Use either command. The pki retrieval-certificate configuration is not saved in the configuration file.