Configuring a Self-Signed Certificate or Local Certificate
Context
If a device fails to request a local certificate from the CA, it can generate a self-signed certificate or local certificate. The generated certificate is saved in the storage device as a file and issued to a PKI entity. You can export the certificate and transfer it to another device.
- A self-signed certificate is issued by a device to itself. Therefore, the issuer and subject of a self-signed certificate are identical.
- A local certificate is issued by a device to itself according to the certificate issued by the CA. Therefore, the issuer of a local certificate is the CA.
A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate.
Procedure
- Run system-view
The system view is displayed.
- Run pki create-certificate [ self-signed ] filename file-name
A self-signed certificate or local certificate is created.
During the configuration, you will be prompted to enter the certificate information, such as PKI entity attributes, the certificate file name, the certificate validity period, and length of the RSA key pair.
Specify the self-signed parameter to create a self-signed certificate. If this parameter is not specified, a local certificate is created.
The file format of the created self-signed certificate or local certificate is PEM.