Obtaining certificates
About certificate obtaining
You can obtain the CA certificate, local certificates, and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency. To do so, use either the offline mode or the online mode:
In offline mode, obtain the certificates by an out-of-band means like FTP, disk, or email, and then import them locally. Use this mode when the CRL repository is not specified, the CA server does not support SCEP, or the CA server generates the key pair for the certificates.
In online mode, you can obtain the CA certificate through SCEP and obtain local certificates or peer certificates through LDAP.
Restrictions and guidelines
Follow these restrictions and guidelines when obtain certificates from a CA
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to obtain a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificates first.
If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and the other for encryption.
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be obtained has been revoked, the certificate cannot be obtained.
The device compares the validity period of a certificate with the local system time to determine whether the certificate is valid. Make sure the system time of the device is synchronized with the CA server.
Prerequisites
Before you obtain local or peer certificates in online mode, make sure an LDAP server is correctly configured in the PKI domain.
Before you import certificates in offline mode, complete the following tasks:
Use FTP or TFTP to upload the certificate files to the storage media of the device.
If FTP or TFTP is not available, display and copy the contents of a certificate to a file on the device. Make sure the certificate is in PEM format because only certificates in PEM format can be imported.
Before you import a local certificate or peer certificate, obtain the CA certificate chain that signs the certificate.
This step is required only if the CA certificate chain is neither available in the PKI domain nor contained in the certificate to be imported.
Before you import a local certificate that contains an encrypted key pair, contact the CA administrator to obtain the password required for importing the certificate.
Procedure
Enter system view.
system-view
Obtain certificates.
Import certificates in offline mode.
pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] }
Obtain certificates in online mode.
pki retrieve-certificate domain domain-name { ca | local | peer entity-name }
This command is not saved in the configuration file.