Two methods are available to apply for the local certificate for a PKI entity through the Simple Certificate Enrollment Protocol (SCEP):
Automatic local certificate application and update
If the configuration required for local certificate application has been performed and the device has no local certificate, the device automatically applies for the local certificate through SCEP. Alternatively, if the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device automatically applies for and updates the local certificate through SCEP.
Manual local certificate application
If the configuration required for local certificate application has been performed and the device has no local certificate, the device is manually triggered to apply for the local certificate through SCEP. If the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device does not automatically apply for and update the local certificate through SCEP.
When you use either of the two methods to apply for the local certificate, the system automatically downloads the local certificate and saves it to the device storage. However, in manual local certificate application, you have to install the local certificate to make it take effect. That is, import it to the device memory.
The system view is displayed.
The file format in which the device stores the certificate is configured.
By default, the device stores the certificate into a PEM file.
A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.
By default, there is a PKI realm named default in the root system, and this realm can be modified but cannot be deleted; no PKI realm is created in a virtual system.
A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.
A trusted CA is configured for the PKI realm.
By default, no trusted CA is configured for a PKI realm.
ca-name specifies the name of a CA server.
A PKI entity that applies for a local certificate is specified.
By default, no PKI entity that applies for a local certificate is specified.
The PKI entity specified by entity-name must have been created using the pki entity command.
The RSA key pair used in SCEP-based certificate application is configured.
By default, the RSA key pair used in SCEP-based certificate application is not configured.
The RSA key pair specified by key-name must have been created using the pki rsa local-key-pair create command.
The certificate public key usage attribute is configured.
By default, no certificate public key usage attribute is configured.
The source address used in TCP connection setup is specified.
By default, the device uses an outbound interface's IP address as the source IP address used in TCP connection setup.
If the source interface used in TCP connection setup has been specified, the source interface must be a Layer 3 interface with an IP address configured.
A CA server URL is configured.
By default, the CA server URL is not configured.
Pay attention to the following points:
If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.
server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.
If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.
A command line that contains a question mark (?) can be directly entered on the device. The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://***.com?page1, the corresponding URL is http://***.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.***.com?page1\x3f), the corresponding URL is http://www.***.com\x3fpage1\\x3f.
If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times.
If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.
The digest algorithm used to sign certificate enrollment requests is configured.
By default, the digest algorithm used to sign certificate enrollment requests is sha-256.
SHA2 algorithms are more secure than md5 and sha1 algorithms and so are recommended.
The digest algorithm used on a PKI entity must be the same as that used on the CA server.
The challenge password used in SCEP certificate application is configured. The challenge password is also called certificate revocation password.
By default, the challenge password used in SCEP certificate application is not configured.
The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.
Configure automatic application and update of local certificate.
Run auto-enroll [ percent ] [ regenerate [ key-bit ] ]
The automatic certificate application and update function is enabled.
By default, the automatic certificate application and update function is disabled.
Configure manual local certificate application.
Run quit
Return to the system view.
Run pki enroll-certificate realm realm-name [ password password ]
Manual certificate application is configured.
If the password command is configured, the password parameter does not need to be specified. If both the password command and password parameter are configured, the password parameter setting takes effect.
After the device obtains the local certificate, complete Installing the Local Certificate.