Operation Manual – PKI
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 PKI Configuration
1-10
Note:
z
If a PKI domain has already a local certificate, creating an RSA key pair will result in
inconsistency between the key pair and certificate. To generate a new RSA key pair,
delete the local certificate and then issue the
public-key local create rsa
command.
z
A newly created key pair will overwrite the existing one. If you perform the
public-key local create rsa
command in the presence of a local RSA key pair, the
system will ask you whether you want to overwrite the existing one.
z
If a PKI domain has already a local certificate, you cannot request another certificate
for it. This is to avoid inconsistency between the certificate and the enrollment
information resulting from configuration changes. To request a new certificate, use
the
pki delete-certificate
command to delete the existing local certificate and the
CA certificate stored locally.
z
When it is impossible to request a certificate from the CA through SCEP, you can
save the request information by using the
pki request-certificate domain
command with the
pkcs10
and
filename
keywords, and then send the file to the CA
by an out-of-band means.
z
Make sure the clocks of an entity and the CA are synchronous. Otherwise, the
validity period of the certificate may be abnormal.
z
The
pki request-certificate domain
configuration will not be saved in the
configuration file.
1.6 Retrieving a Certificate Manually
You can download an existing CA certificate or local certificate from the CA server and
save it locally. To do so, you can use two ways: online and offline. In offline mode, you
need to retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then
import it into the local PKI system.
Certificate retrieval serves two purposes:
z
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count;
z
Prepare for certificate validation.
Before retrieving a local certificate, be sure to complete LDAP server configuration.