Retrieving a certificate manually
You can download CA certificates or local certificates from the CA server and save them locally. To do so, use either the offline mode or the online mode. In offline mode, you must retrieve a certificate by an out-of-band means like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves the following purposes:
Locally store the certificates associated with the local security domain for improved query efficiency and reduced query count.
Prepare for certificate verification.
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction helps avoid inconsistency between the certificate and registration information resulted from configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and the local certificate first.
Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.
To retrieve a certificate manually:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Retrieve a certificate manually |
| Use either command. The pki retrieval-certificate configuration is not saved in the configuration file. |