Restrictions and guidelines for certificate request configuration
When you request a local certificate in a PKI domain, follow these restrictions and guidelines:
To prevent an existing local certificate from becoming invalid, do not perform the following tasks:
Create a key pair with the same name as the key pair contained in the certificate.
To create a key pair, use the public-key local create command.
Destroy the key pair contained in the certificate.
To destroy a key pair, use the public-key local destroy command.
To manually request a new certificate in a PKI domain that already has a local certificate, use the following procedure:
Use the pki delete-certificate command to delete the existing local certificate.
Use the public-key local create command to generate a new key pair.
Manually submit a certificate request.
A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption.