Configuration guidelines
The following guidelines apply to certificate request for an entity in a PKI domain:
Make sure the device is time synchronized with the CA server. Otherwise, the certificate request might fail because the certificate might be considered to be outside of the validity period. For information about how to configure the system time, see Fundamentals Configuration Guide.
To request a new certificate for a PKI entity that already has a local certificate, perform the following tasks:
Use the pki delete-certificate command to delete the existing local certificate.
Use the public-key local create to generate a new key pair. The new key pair will automatically overwrite the old key pair in the domain.
Submit a new certificate request.
After a new certificate is obtained, do not use the public-key local create or public-key local destroy command to generate or destroy a key pair with the same name as the key pair in the local certificate. Otherwise, the existing local certificate becomes unavailable.
A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption.