1-8To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domain domain-name —Set the certificate request mode tomanual certificate request mode manual OptionalManual by defaultReturn to system view quit —Retrieve a CA certificate manually Refer to Retrieving a CertificateManually RequiredGenerate a local RSA key pair public-key local create rsaRequiredNo local RSA key pair exists bydefault.Submit a local certificate requestmanuallypki request-certificate domaindomain-name [ password ][ pkcs10 [ filename filename ] ]Requiredz If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistencybetween the key pair and the certificate. To generate a new RSA key pair, delete the localcertificate and then issue the public-key local create command. For information about thepublic-key local create command, refer to Public Key Commands in the Security Volume.z A newly created key pair will overwrite the existing one. If you perform the public-key local createcommand in the presence of a local RSA key pair, the system will ask you whether you want tooverwrite the existing one.z If a PKI domain has already a local certificate, you cannot request another certificate for it. This is toavoid inconsistency between the certificate and the registration information resulting fromconfiguration changes. To request a new certificate, use the pki delete-certificate command todelete the existing local certificate and the CA certificate stored locally.z When it is impossible to request a certificate from the CA through SCEP, you can save the requestinformation by using the pki request-certificate domain command with the pkcs10 and filenamekeywords, and then send the file to the CA by an out-of-band means.z Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of thecertificate will be abnormal.z The pki request-certificate domain configuration will not be saved in the configuration file.Retrieving a Certificate ManuallyYou can download an existing CA certificate, local certificate, or peer entity certificate from the CAserver and save it locally. To do so, you can use two ways: online and offline. In offline mode, you needto retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then import it into the localPKI system.Certificate retrieval serves two purposes:z Locally store the certificates associated with the local security domain for improved query efficiencyand reduced query count,