Enabling the automatic online certificate request mode

In auto request mode, a PKI entity with no local certificates automatically submits a certificate request to the CA when an application works with the PKI entity. For example, when IKE negotiation uses a digital signature for identity authentication, but no local certificate is available, the entity automatically submits a certificate request. It saves the certificate locally after obtaining the certificate from the CA.

A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.

In auto request mode, the device does not automatically request a new certificate if the current certificate is about to expire or has expired, which might cause service interruptions.

1. Enter system view.

   system-view

2. Enter PKI domain view.

   pki domain domain-name

3. Enable the automatic online certificate request mode.

   certificate request mode auto [ password { cipher | simple } string ]

   By default, the manual request mode applies.

   If the CA policy requires a password for certificate revocation, specify the password in this command.