Manually submitting a certificate request in offline mode

Use this method if the CA does not support SCEP or if a network connection between the device and CA is not possible.

1. Enter system view.

   system-view

2. Enter PKI domain view.

   pki domain domain-name

3. Set the certificate request mode to manual.

   certificate request mode manual

   By default, the manual request mode applies.

4. Return to system view.

   quit

5. Obtain the CA certificate.

   See "Obtaining certificates."

   This step is required if the PKI domain does not have a CA certificate. The CA certificate is used to verify the authenticity and validity of the obtained local certificate.

6. Print the certificate request in PKCS10 format on the terminal or save the certificate request to a PKCS10 file.

   pki request-certificate domain domain-name pkcs10 [ filename filename ]

   This command is not saved in the configuration file.

7. Transfer certificate request information to the CA by using an out-of-band method.

8. Transfer the issued local certificate from the CA to the local device by using an out-of-band method.

9. Import the local certificate to the PKI domain.

   pki import domain domain-name { der local filename filename | p12 local filename filename | pem local } [ filename filename ] }