Configuring automatic certificate request
In auto request mode, a PKI entity with no local certificates automatically submits a certificate request to the CA when an application works with the PKI entity. For example, when IKE negotiation uses a digital signature for identity authentication, but no local certificate is available, the entity automatically submits a certificate request. It saves the certificate locally after obtaining the certificate from the CA.
A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.
Configuration restrictions and guidelines
Follow these restrictions and guidelines when you configure automatic certificate request:
To avoid service interruptions caused by certificate expiration, specify the renew-before-expire days option to enable certificate auto-renewal in auto certificate request mode.
Certificate auto-renewal enables the system to automatically request a new certificate the specified number of days before the old certificate expires. The old certificate is replaced immediately when the new certificate is received.
Some CAs require a new PKI entity common name for certificate auto-renewal to work. Specify the automatic-append common-name keyword to ensure successful certificate auto-renewal.
To configure automatic certificate request:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter PKI domain view. | pki domain domain-name | N/A |
3. Set the certificate request mode to auto. | certificate request mode auto [ password { cipher | simple } string | renew-before-expire days [ reuse-public-key ] [ automatic-append common-name ] ] * | By default, the manual request mode applies. In auto request mode, set a password for certificate revocation as required by the CA policy. |