225
Submitting a PKI certificate request
When requesting a certificate, an entity introduces itself to the CA by providing its identity information
and public key, which are the major components of the certificate. A certificate request can be submitted
to a CA in offline mode or online mode. In offline mode, a certificate request is submitted to a CA by an
out-of-band means such as phone, disk, or email.
Online certificate requests fall into manual mode and auto mode.
Submitting a certificate request in auto mode
In auto mode, an entity automatically requests a certificate from the CA server if it has no local
certificate for an application working with PKI. For example, when PKI certificate authentication is used,
if no local certificate is available during IKE negotiation, the entity automatically requests one.
To configure an entity to submit a certificate request in auto mode:
To do…
Command…
Remarks
1.
Enter system view.
system-view
—
2.
Enter PKI domain view.
pki domain
domain-name
—
3.
Set the certificate request
mode to
auto
.
certificate request mode auto
[
key-length
key
-
length
|
password
{
cipher
|
simple
}
password
] *
Required
Manual by default
NOTE:
If a certificate will expire or has expired, the entity does not initiate a re-request automatically, and the
service using the certificate might be interrupted. To have a new local certificate, request one manually.
Submitting a certificate request in manual mode
In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and submit a local
certificate request for an entity.
The goal of retrieving a CA certificate verifies the authenticity and validity of a local certificate.
Generating an RSA key pair is an important step in certificate request. The key pair includes a public
key and a private key. The private key is kept by the user. The public key is transferred to the CA along
with some other information. For more information about RSA and DSA key pair configuration, see
"
."