< Home

Applying for the Local Certificate in Offline Mode

Context

If the CA server does not support SCEP or CMPv2, configure the device to apply for the local certificate in offline mode. Users generate a certificate request file on the device and then send the file to the CA in an outbound way (web, disk, or email) to apply for the local certificate. After applying for the certificate, users still need to download the certificate from the server where the certificate is stored and save it to the device storage.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  3. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  4. Run rsa local-key-pair key-name

    Or run

    The RSA key pair used in offline mode certificate application is configured.

    By default, the RSA key pair used in offline mode certificate application is not configured.

  5. Run enrollment-request signature message-digest-method { md5 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    Other algorithms are more secure than md5 and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  6. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  7. Run quit

    Return to the system view.

  8. Run pki file-format { der | pem }

    The file format in which the device stores the certificate and certificate request is configured.

    By default, the device stores the certificate and certificate request into a PEM file.

  9. Run pki enroll-certificate realm realm-name pkcs10 [ filename filename ] [ password password ]

    The device is configured to save certificate application information into a file in PKCS#10 format.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  10. Enable the device to send the CA the certificate request file in an outbound way (web, disk, or email) to apply for the local certificate.
Parent Topic: Applying for and Updating Local Certificate
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >