Configuration guidelines
The following guidelines apply to certificate request for an entity in a PKI domain:
Make sure the device is time synchronized with the CA server. If the device is not time synchronized with the CA server, the certificate request might fail because the certificate might be considered to be outside of the validity period. For information about configuring the system time, see Fundamentals Configuration Guide.
To request a new certificate for a PKI entity that already has a local certificate, perform the following tasks:
Use the pki delete-certificate command to delete the existing local certificate.
Use the public-key local create to generate a new key pair. The new key pair will automatically overwrite the old key pair in the domain.
Submit a new certificate request.
To prevent a certificate from becoming unavailable after it is obtained, follow these guidelines:
Do not use the public-key local create command to create a key pair with the same name as the name of the key pair contained in the certificate.
Do not use the public-key local destroy command to destroy the key pair contained in the certificate.
A PKI domain can have local certificates using only one type of cryptographic algorithms (DSA, ECDSA, or RSA). If DSA or ECDSA is used, a PKI domain can have only one local certificate. If RSA is used, a PKI domain can have one local certificate for signature, and one local certificate for encryption.