1-7To do… Use the command… RemarksSpecify the entity for certificaterequestcertificate request entityentity-nameRequiredNo entity is specified by default.The specified entity must exist.Specify the authority forcertificate requestcertificate request from { ca |ra }RequiredNo authority is specified bydefault.Configure the URL of the serverfor certificate requestcertificate request urlurl-stringRequiredNo URL is configured bydefault.Configure the polling intervaland attempt limit for queryingthe certificate request statuscertificate request polling{ count count | intervalminutes }OptionalThe polling is executed for up to5 times at the interval of 20minutes by default.Specify the LDAP serverldap-server ip ip-address[ port port-number ] [ versionversion-number ]OptionalNo LDP server is specified bydefault.Configure the fingerprint forroot certificate verificationroot-certificate fingerprint{ md5 | sha1 } stringRequired when the certificaterequest mode is auto andoptional when the certificaterequest mode is manual. In thelatter case, if you do notconfigure this command, thefingerprint of the root certificatemust be verified manually.No fingerprint is configured bydefault.z Currently, up to two PKI domains can be created on a device.z The CA name is required only when you retrieve a CA certificate. It is not used when in localcertificate request.z Currently, the URL of the server for certificate request does not support domain name resolving.Submitting a PKI Certificate RequestWhen requesting a certificate, an entity introduces itself to the CA by providing its identity informationand public key, which will be the major components of the certificate. A certificate request can besubmitted to a CA in two ways: online and offline. In offline mode, a certificate request is submitted to aCA by an “out-of-band” means such as phone, disk, or e-mail.Online certificate request falls into two categories: manual mode and auto mode.Submitting a Certificate Request in Auto ModeIn auto mode, an entity automatically requests a certificate through the SCEP protocol when it has nolocal certificate or the present certificate is about to expire.