1-9z If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistencybetween the key pair and the certificate. To generate a new RSA key pair, delete the localcertificate and then issue the public-key local create command.z A newly created key pair will overwrite the existing one. If you perform the public-key local createcommand in the presence of a local RSA key pair, the system will ask you whether you want tooverwrite the existing one.z If a PKI domain has already a local certificate, you cannot request another certificate for it. This is toavoid inconsistency between the certificate and the registration information resulting fromconfiguration changes. To request a new certificate, use the pki delete-certificate command todelete the existing local certificate and the CA certificate stored locally.z When it is impossible to request a certificate from the CA through SCEP, you can save the requestinformation by using the pki request-certificate domain command with the pkcs10 and filenamekeywords, and then send the file to the CA by an out-of-band means.z Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of thecertificate will be abnormal.z The pki request-certificate domain configuration will not be saved in the configuration file.Retrieving a Certificate ManuallyYou can download an existing CA certificate, local certificate, or peer entity certificate from the CAserver and save it locally. To do so, you can use two ways: online and offline. In offline mode, you needto retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then import it into the localPKI system.Certificate retrieval serves two purposes:z Locally store the certificates associated with the local security domain for improved query efficiencyand reduced query count,z Prepare for certificate verification.Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.Follow these steps to retrieve a certificate manually:To do… Use the command… RemarksEnter system view system-view —Online pki retrieval-certificate { ca | local }domain domain-nameRetrieve acertificatemanually Offlinepki import-certificate { ca | local }domain domain-name { der | p12 | pem }[ filename filename ]RequiredUse eithercommand.