Submitting A Certificate Request In Auto Mode; Submitting A Certificate Request In Manual Mode - HP 12500 Series Configuration Manual

Online certificate request falls into manual mode and auto mode.

Submitting a certificate request in auto mode

In auto mode, an entity automatically requests a certificate from the CA server if it has no local certificate
for an application working with PKI. For example, when PKI certificate authentication is used, if no local
certificate is available during IKE negotiation, the entity automatically requests one, and saves the local
certificate after retrieving it from the CA. If the PKI domain has no CA certificate before the entity submits
the certificate request, the entity automatically retrieves the CA certificate first.
If an automatically requested certificate will expire or has expired, the entity does not initiate a re-request
to the CA automatically, and the services using the certificate might be interrupted.
To configure an entity to submit a certificate request in auto mode:
Step
1. Enter system view.
2. Enter PKI domain view.
3. Set the certificate request
mode to auto.

Submitting a certificate request in manual mode

In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local
certificate request for an entity.
The CA certificate in the PKI domain is used to verify the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public key
and a private key. The private key is kept by the user. The public key is transferred to the CA along with
some other identify information. For more information about RSA and ECDSA key pair configuration, see
"Managing public
Configuration guidelines
If a PKI domain already has a local certificate, creating an RSA key pair might result in
•
inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the
local certificate and then issue the public-key local create command. For more information about
the public-key local create command, see Security Command Reference.
When you generate a local RSA or ECDSA key pair, the new one can overwrite the existing one.
•
The system gives prompt before you confirm to overwrite the existing one.
If a PKI domain already has a local certificate, do not request another certificate for it. Otherwise,
•
inconsistency might exist between the certificate and the registration information when the
configuration changes. To request a new certificate, first use the pki delete-certificate command to
delete the existing local certificate and the local CA certificate.
• If you cannot request a certificate from the CA through SCEP, you can print the request information
or save the request information to a local file, and then send the printed information or saved file to
the CA by an out-of-band means. To print the request information, use the pki request-certificate
domain command with the pkcs10 keyword. To save the request information to a local file, use the
pki request-certificate domain command with the pkcs10 filename filename option.
Command
system-view
pki domain domain-name
certificate request mode auto
[ key-length key-length | password
{ cipher | simple } password ] *
keys."
297
Remarks
N/A
N/A
Manual by default.