If the device can access a CA and the CA supports the Certificate Management Protocol version 2 (CMPv2), the device can apply for and update the local certificate through CMPv2.
CMPv2-based local certificate application applies to the following situations:
Initial local certificate application using an initialization request (IR)
The device sends the CA an IR to apply for the local certificate for the first time. In this situation, the device shows its identity to the CMPv2 server in either of the following ways:
Local certificate application for another device using a certification request (CR)
The device has the local certificate issued by the CA and needs to apply for an additional local certificate for another device. In this situation, the device uses the existing certificate for identity authentication.
CMPv2 supports two local certificate update modes:
Manual certificate update using a key update request (KUR)
A KUR, also called certificate update request, is used to update the device's existing certificate that has not expired and not revoked. During local certificate update, the device uses the existing certificate for identity authentication. The device can use the new or previous public key to update the local certificate.
Applying for a local certificate using an IR is insecure. You are advised to update the local certificate and key pair using a KUR.
Automatic certificate update
The device must apply for a new certificate before the existing certificate expires to prevent service interruptions. In manual certificate update mode, the device is more likely to forget certificate update. To avoid this problem, the device supports automatic certificate update. When the system detects that the certificate automatic update time expires, the system initiates a certificate update request to the CMPv2 server. The obtained new certificate will replace the certificate file in the device storage and certificate in the device memory without interrupting services.
This method can be used to automatically update the local certificate obtained using an IR or updated using a KUR.
The system view is displayed.
The file format in which the device stores the certificate is configured.
By default, the device stores the certificate into a PEM file.
A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.
By default, no PKI realm is created.
Return to the system view.
A CMP session is created and the CMP session view is displayed; or the CMP session view is displayed directly.
By default, no CMP session is created.
A CMP session is valid only on the local device and is unavailable to the CA and other devices.
The PKI entity name used in CMPv2-based certificate application is configured for the device.
By default, the PKI entity name used in CMPv2-based certificate application is not configured.
The CA name is configured for the CMP session.
By default, no CA name is configured for a CMP session.
The sequence of each field in the configured CA name must be the same as that in the CA certificate. Otherwise, the CMPv2 server considers the CA name incorrect.
The CMPv2 server URL is configured.
By default, the CMPv2 server URL is not configured.
url-addr can be the IP address or domain name format. If it is set to the domain name format, Domain Name System (DNS) must be correctly configured on a PKI entity so that the PKI entity can resolve the domain name through the DNS server.
The RSA key pair used in CMPv2-based certificate application is configured.
By default, the RSA key pair used in CMPv2-based certificate application is not configured.
If the regenerate parameter is specified, the system generates a new RSA key pair to apply for a new certificate and uses the new certificate and RSA key pair to replace the previous ones during automatic certificate update. Otherwise, the system continues to use the previous RSA key pair during automatic certificate update.
The PKI realm used in CMPv2-based certificate application is configured.
By default, the PKI realm used in CMPv2-based certificate application is not configured.
The certificate file used to validate the CA response signature is configured.
By default, the certificate file used to validate the CA response signature is not configured.
Initial local certificate application using an IR
Run cmp-request origin-authentication-method { message-authentication-code | signature }
The authentication mode of CMPv2-based initial local certificate application is configured.
By default, the authentication mode of CMPv2-based initial local certificate application is message authentication code.
Run cmp-request message-authentication-code reference-value secret-value
The message authentication code's reference values and secret values are configured.
By default, the message authentication code's reference values and secret values are not configured.
The message authentication code's reference values and secret values need to be obtained from the CMPv2 server in an outband way.
Run cmp-request authentication-cert cert-name
The certificate carried in a CMPv2 request for identity authentication is configured.
By default, the certificate carried in a CMPv2 request for identity authentication is not configured.
This certificate is an additional certificate and must be issued by another trusted certificate authority.
Run quit
Return to the system view.
Run pki cmp initial-request session session-name
The device sends an IR to apply for the local certificate with the CMPv2 server according to the CMP session configuration for the first time.
After this command is configured, the system first checks the CMP session configuration to determine whether it can apply for the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates an initial certificate request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory. If the server provides a CA certificate in a response, the CA certificate is also saved in a file.
Local certificate application for another device using a CR
Run cmp-request authentication-cert cert-name
The certificate carried in a CMPv2 request for identity authentication is configured.
By default, the certificate carried in a CMPv2 request for identity authentication is not configured.
This certificate is the local certificate that the CA has issued to the device.
Run quit
Return to the system view.
Run pki cmp certificate-request session session-name
The device sends a CR to apply for the local certificate with the CMPv2 server according to the CMP session configuration.
After this command is configured, the system first checks the CMP session configuration to determine whether it can update the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates a certificate update request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory.
Manual certificate update using a KUR
Run pki cmp session session-name
The CMP session view is displayed directly.
Run cmp-request authentication-cert cert-name
The certificate carried in a CMPv2 request for identity authentication is configured.
By default, the certificate carried in a CMPv2 request for identity authentication is not configured.
This certificate is the local certificate that the CA has issued to the device and needs to be replaced by a new local certificate.
Run quit
Return to the system view.
Run pki cmp keyupdate-request session session-name
The device sends the CMPv2 server a KUR to update the key according to the CMP session configuration.
When the device requests to update the key with the CMPv2 server, it also applies for a new local certificate.
After this command is configured, the system first checks the CMP session configuration to determine whether it can update the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates a certificate update request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory.
Automatic certificate update
Run pki cmp session session-name
The CMP session view is displayed directly.
Run cmp-request authentication-cert cert-name
The certificate carried in a CMPv2 request for identity authentication is configured.
By default, the certificate carried in a CMPv2 request for identity authentication is not configured.
This certificate is the local certificate that the CA has issued to the device and needs to be replaced by a new local certificate.
Run certificate auto-update enable
The CMPv2-based automatic certificate update function is enabled.
By default, the CMPv2-based automatic certificate update function is disabled.
Run certificate update expire-time valid-percent
The time when the local certificate is updated automatically is configured. The value is expressed as the percentage of the certificate validity period.
The default certificate update time is 50% of the certificate validity period.
After this command is configured, the system initiates a certificate update request and determines whether to create a new RSA key pair according to the cmp-request rsa local-key-pair command configuration when finding that the automatic certificate update time reaches the value specified by valid-percent. After the new certificate is obtained, the system replaces the previous certificate and RSA key pair with the new ones.
Run quit
Return to the system view.
The ongoing CMP poll request is canceled.
If the server cannot respond to the client within a specified period after the client initiates a certificate-related request, the server requires the client to send a poll request at an interval until it responds to the client. If the client does not want to wait, it can cancel the ongoing CMP poll request to cancel certificate application.