1-5Task RemarksRequesting aLocal CertificateRequiredWhen requesting a certificate, an entity introduces itself to the CA by providingits identity information and public key, which will be the major components ofthe certificate.A certificate request can be submitted to a CA in two ways: online and offline.z In online mode, if the request is granted, the local certificate will beretrieved to the local system automatically.z In offline mode, you need to retrieve the local certificate by an out-of-bandmeans.If there is already a local certificate, you cannot perform the local certificateretrieval operation. This is to avoid possible mismatch between the localcertificate and registration information resulting from relevant changes. Toretrieve a new local certificate, you need to remove the CA certificate and localcertificate first.Destroying theRSA Key PairOptionalDestroy the existing RSA key pair and the corresponding local certificate.If the certificate to be retrieved contains an RSA key pair, you need to destroythe existing key pair. Otherwise, the retrieving operation will fail.Retrieving aCertificateOptionalRetrieve an existing certificate.Retrieving andDisplaying a CRLOptionalRetrieve a CRL and display its contents.Requesting a Certificate AutomaticallyPerform the tasks in Table 1-2 to configure the PKI system to request a certificate automatically.Table 1-2 Configuration task list for requesting a certificate automaticallyTask RemarksCreating a PKIEntityRequiredCreate a PKI entity and configure the identity information.A certificate is the binding of a public key and an entity, where an entity is thecollection of the identity information of a user. A CA identifies a certificateapplicant by entity.The identity settings of an entity must be compliant to the CA certificate issuepolicy. Otherwise, the certificate request may be rejected.Creating a PKIDomainRequiredCreate a PKI domain, setting the certificate request mode to Auto.Before requesting a PKI certificate, an entity needs to be configured with someenrollment information, which is referred to as a PKI domain.A PKI domain is intended only for convenience of reference by otherapplications like SSL, and has only local significance.Destroying theRSA Key PairOptionalDestroy the existing RSA key pair and the corresponding local certificate.If the certificate to be retrieved contains an RSA key pair, you need to destroythe existing key pair. Otherwise, the retrieving operation will fail.
