Configuring automatic certificate request

IMPORTANT:

The device does not support automatic certificate rollover. To avoid service interruptions, you must manually submit a certificate renewal request before the current certificate expires.

In auto request mode, a PKI entity with no local certificates automatically submits a certificate request to the CA when an application works with the PKI entity. For example, when IKE negotiation uses a digital signature for identity authentication, but no local certificate is available, the entity automatically submits a certificate request. It saves the certificate locally after obtaining the certificate from the CA.

A CA certificate must be present before you request a local certificate. If no CA certificate exists in the PKI domain, the PKI entity automatically obtains a CA certificate before sending a certificate request.

To configure automatic certificate request:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter PKI domain view.	pki domain domain-name	N/A
3. Set the certificate request mode to auto.	certificate request mode auto [ password { cipher \| simple } string ]	By default, the manual request mode applies. In auto request mode, set a password for certificate revocation as required by the CA policy.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter PKI domain view.

pki domain domain-name

N/A

3. Set the certificate request mode to auto.

certificate request mode auto [ password { cipher | simple } string ]

By default, the manual request mode applies.

In auto request mode, set a password for certificate revocation as required by the CA policy.

prev	up	next
Configuration guidelines	home	Manually requesting a certificate