Two methods are available to apply for the local certificate for a PKI entity through the Simple Certificate Enrollment Protocol (SCEP):
Automatic local certificate application and update
If the configuration required for local certificate application has been performed and the device has no local certificate, the device automatically applies for the local certificate through SCEP. Alternatively, if the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device automatically applies for and updates the local certificate through SCEP.
Manual local certificate application
If the configuration required for local certificate application has been performed and the device has no local certificate, the device is manually triggered to apply for the local certificate through SCEP. If the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device does not automatically apply for and update the local certificate through SCEP.
When you use either of the two methods to apply for the local certificate, the device obtains the CA certificate, saves it to the device storage and automatically imports it to the device memory. Then the device uses the public key in the CA certificate to encrypt its local certificate enrollment request and sends it to CA to apply for a local certificate. Finally the device saves the local certificate to the device storage and imports it to the device memory automatically.
The system view is displayed.
The file format in which the device stores the certificate is configured.
By default, the device stores the certificate into a PEM file.
A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.
By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.
A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.
A trusted CA is configured for the PKI realm.
By default, no trusted CA is configured for a PKI realm.
ca-name specifies the name of a CA server.
A PKI entity that applies for a local certificate is specified.
By default, no PKI entity that applies for a local certificate is specified.
The PKI entity specified by entity-name must have been created using the pki entity command.
The RSA key pair used in SCEP-based certificate application is configured.
By default, the RSA key pair used in SCEP-based certificate application is not configured.
The RSA key pair specified by key-name must have been created using the pki rsa local-key-pair create command.
The certificate public key usage attribute is configured.
By default, no certificate public key usage attribute is configured.
The source address used in TCP connection setup is specified.
By default, the device uses an outbound interface's IP address as the source IP address used in TCP connection setup.
If the source interface used in TCP connection setup has been specified, the source interface must be a Layer 3 interface with an IP address configured.
A CA server URL is configured.
By default, the CA server URL is not configured.
Pay attention to the following points:
If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.
server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.
If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.
The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://***.com?page1, the corresponding URL is http://***.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.***.com?page1\x3f), the corresponding URL is http://www.***.com\x3fpage1\\x3f.
If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times.
If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.
The digest algorithm used to sign certificate enrollment requests is configured.
By default, the digest algorithm used to sign certificate enrollment requests is sha-256.
SHA2 algorithms are more secure than md5 algorithms and so are recommended.
The digest algorithm used on a PKI entity must be the same as that used on the CA server.
The challenge password used in SCEP certificate application is configured. The challenge password is also called certificate revocation password.
By default, the challenge password used in SCEP certificate application is not configured.
The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.
The CA certificate fingerprint used in CA certificate authentication is configured.
By default, the CA certificate fingerprint used in CA certificate authentication is not configured.
The fingerprint needs to be obtained offline from a CA server. For example, when Windows Server 2008 functions as the CA server, access the web page address http://host:port/certsrv/mscep_admin/ to obtain the CA certificate fingerprint. In the web page address, host specifies the CA server's IP address, and port specifies the CA server's port number.
Configure automatic application and update of local certificate.
Run auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]
The automatic certificate enrollment and update function is enabled.
By default, the automatic certificate application and update function is disabled.
Configure manual local certificate application.
Run quit
Return to the system view.
Run pki enroll-certificate realm realm-name [ password password ]
Manual certificate application is configured.
If the password command is configured, the password parameter does not need to be specified. If both the password command and password parameter are configured, the password parameter setting takes effect.