402
undo certificate request mode
Default
The certificate request mode is manual.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
auto
: Specifies the auto certificate request mode.
password
: Specifies a password for certificate revocation as required by the CA policy.
cipher
: Specifies a password in encrypted form.
simple
: Specifies a password in plaintext form. For security purposes, the password specified in
plaintext form will be stored in encrypted form.
string
: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its
encrypted form is a case-sensitive string of 1 to 73 characters.
renew-before-expire
days
: Configures the system to automatically request a new certificate the
specified number of days before the current certificate expires. The value range for the
days
argument is 0 to 365. If the value is set to 0, the request for a new certificate is made when the old
certificate expires, which might cause service interruptions.
reuse-public-key
: Reuses the key pair in the old certificate for the new certificate. If you do not
specify this keyword, the system generates a new key pair key for the new certificate. The old key
pair is replaced with the new one when the new certificate is received from the CA..
automatic-append common-name
: Automatically appends random data to the common name of
the PKI entity for the new certificate. If you do not specify this keyword, the common name of the PKI
entity will be unchanged in the new certificate.
manual
: Specifies the manual certificate request mode.
Usage guidelines
A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate
request can be automatically or manually submitted:
•
Auto request mode
—A PKI entity automatically obtains the CA certificate and submits a
certificate request to the CA when both of the following conditions exist:
An associated application (IKE, for example) performs identity authentication.
No certificate is available for the application on the device.
•
Manual request mode
—You must manually obtain the CA certificate and submit certificate
requests.
To avoid service interruptions caused by certificate expiration, specify the
renew-before-expire
days
option to enable certificate auto-renewal in auto certificate request mode. Certificate
auto-renewal allows the system to automatically request a new certificate the specified number of
days before the old certificate expires. The old certificate is replaced immediately when the new
certificate is received.
Some CAs require a new PKI entity common name for certificate auto-renewal to work. Specify the
automatic-append common-name
keyword to ensure successful certificate auto-renewal.
Examples
# Set the certificate request mode to
auto
.
<Sysname> system-view
Summary of Contents for FlexNetwork MSR Series
Page 1005: ...987 ...