< Home

pki enroll-certificate

Function

The pki enroll-certificate command configures manual certificate enrollment.

Format

pki enroll-certificate realm realm-name [ pkcs10 [ filename filename ] ] [ password password ]

Parameters

Parameter Description Value
realm realm-name Specifies the name of a PKI realm. The PKI realm name must already exist.
pkcs10 Uses the PKCS#10 format to display the local certificate request information. It can be used to request certificates in offline mode. -
filename filename Saves the certificate request information in a specified file. The certificate request information is saved in the file in PKCS#10 format and is sent to the CA in outband mode. The value is a string of 1 to 64.
password password Indicates a challenge password, which is used to request certificates in online mode. When the CA server processes the certificate request using the challenge password, you must set a challenge password on the entity, and the challenge password must be the same as the password configured on the CA server.

The value is a string of case-sensitive characters without question marks (?) or spaces. It can be a plain-text string of 1 to 64 characters or a cipher-text string of 48 to 108 characters.

NOTE:

To improve certificate security, it is recommended that a password consist of at least two of the following: lowercase letters, uppercase letters, numerals and special characters. In addition, the password must contain at least six characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Manual certificate application is online or offline.

  • Online mode (in-band mode)

    In online requests, entities request certificates from CAs using the SCEP protocol. Then the entities store the obtained certificates on the flash of devices.

  • Offline mode (out-of-band mode)

    The device generates a certificate request file. The administrator sends the file to the CA server using methods such as disks and emails.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

  • If pkcs10 is specified, an entity applies to a CA for a certificate in offline mode. The entity saves the certificate request information in a file in PKCS#10 format and sends the file to the CA in outband mode.
  • If pkcs10 is not specified, an entity applies to a CA for a certificate in online mode.

  • In online mode, a PKI entity obtains a CA certificate and imports it to memory, and then obtains a local certificate and imports it to memory.

  • After the enrollment self-signed command is used in the PKI realm, it is not allowed to use the pki enroll-certificate command to configure manual certificate enrollment.

Example

# Enroll a certificate for the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki enroll-certificate realm abc
Parent Topic: PKI Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >