The certificate auto-update enable command enables CMPv2-based automatic certificate update.
The undo certificate auto-update enable command disables CMPv2-based automatic certificate update.
By default, the CMPv2-based automatic certificate update is disabled.
If a certificate obtained through CMPv2 is about to expire, run this command to enable CMPv2-based automatic certificate update to ensure certificate validity. After the command is executed, the system performs checks (for example, referenced PKI entity, URL for the CMPv2 server, RSA key pair for CMPv2-based certificate application). The configuration is successful only when the conditions are met.
When the system detects that the remaining validity period of the local certificate has reached the value specified in certificate update expire-time, the system automatically initiates the certificate update request and decides whether to create an RSA key pair based on the cmp-request rsa local-key-pair configuration. After the new certificate is obtained, the system replaces the previous certificate and RSA key pair with the new ones. The replacement files include the files in device storage, certificate in memory, and configuration used in IKE negotiation.