222
Step Command
Remarks
12.
(Optional.) Specify a
source IP address for
the PKI protocol
packets.
•
Specify the source IPv4 address for the
PKI protocol packets:
source ip
{
ip-address
|
interface
{
interface-type interface-number
}
•
Specify the source IPv6 address for the
PKI protocol packets:
source ipv6
{
ipv6-address
|
interface
{
interface-type interface-number
}}
This task is required if the CA
policy requires that the CA server
accept certificate requests from a
specific IP address or subnet.
By default, the source IP address of
PKI protocol packets is the IP
address of their outgoing interface.
Requesting a certificate
To request a certificate, a PKI entity must provide its identity information and public key to a CA.
A certificate request can be submitted to a CA in offline or online mode.
•
Offline mode
—A certificate request is submitted by using an out-of-band method, such as phone,
disk, or email. You can use this mode as required or if you fail to request a certificate in online
mode.
To submit a certificate request in offline mode:
a.
Use
pki request-certificate domain pkcs10
to print the request information on the terminal or
use
pki request-certificate domain pkcs10 filename
to save the request information to a local
file.
b.
Send the printed information or the saved file to the CA by using an out-of-band method to
submit the request.
•
Online mode
—
A certificate request can be automatically or manually submitted. This section
describes the online request mode.
Configuration guidelines
The following guidelines apply to certificate request for an entity in a PKI domain:
•
Make sure the device is time synchronized with the CA server. Otherwise, the certificate request
might fail because the certificate is considered to be outside of the validity period. For information
about how to configure the system time, see
Fundamentals Configuration Guide
.
•
To request a new certificate for a PKI entity that already has a local certificate, perform the following
tasks:
a.
Use the
pki delete-certificate
command to delete the existing local certificate.
b.
Use the
public-key local create
to generate a new key pair. The new key pair will automatically
overwrite the old key pair in the domain.
c.
Submit a new certificate request.
•
After a new certificate is obtained, do not use the
public-key local create
or
public-key local destroy
command to generate or destroy a key pair with the same name as the key pair in the local
certificate. Otherwise, the existing local certificate becomes unavailable.