pki enroll-certificate realm realm-name [ pkcs10 [ filename filename ] ] [ password password ]
| Parameter | Description | Value |
|---|---|---|
| realm realm-name | Specifies the name of a PKI realm. | The PKI realm name must already exist. |
| pkcs10 | Uses the PKCS#10 format to display the local certificate request information. It can be used to request certificates in offline mode. | - |
| filename filename | Saves the certificate request information in a specified file. The certificate request information is saved in the file in PKCS#10 format and is sent to the CA in outband mode. | The value is a string of 1 to 64. |
| password password | Indicates a challenge password, which is used to request certificates in online mode. When the CA server processes the certificate request using the challenge password, you must set a challenge password on the entity, and the challenge password must be the same as the password configured on the CA server. | The value is a string of case-sensitive characters without question marks (?) or spaces. It can be a plain-text string of 1 to 64 characters or a cipher-text string of 48 to 108 characters. NOTE:
To improve certificate security, it is recommended that a password consist of at least two of the following: lowercase letters, uppercase letters, numerals and special characters. In addition, the password must contain at least six characters. |
Usage Scenario
Manual certificate application is online or offline.
Online mode (in-band mode)
In online requests, entities request certificates from CAs using the SCEP protocol. Then the entities store the obtained certificates on the CF card or Hda1 of devices.
Offline mode (out-of-band mode)
The device generates a certificate request file. The administrator sends the file to the CA server using methods such as disks and emails.
Prerequisites
A PKI realm has been created using the pki realm (system view) command.
Precautions
In dual-node hot standby scenarios, no certificate can be applied for the backup node.