1-9z If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistencybetween the key pair and the certificate. To generate a new RSA key pair, delete the localcertificate and then issue the public-key local create command. For information about thepublic-key local create command, refer to Public Key Commands.z A newly created key pair will overwrite the existing one. If you perform the public-key local createcommand in the presence of a local RSA key pair, the system will ask you whether you want tooverwrite the existing one.z If a PKI domain has already a local certificate, you cannot request another certificate for it. This is toavoid inconsistency between the certificate and the registration information resulting fromconfiguration changes. Before request a new certificate, use the pki delete-certificate commandto delete the existing local certificate and the CA certificate stored locally.z When it is impossible to request a certificate from the CA through SCEP, you can print the requestinformation or save the request information to a local file, and then send the printed information orsaved file to the CA by an out-of-band means. To print the request information, use the pkirequest-certificate domain command with the pkcs10 keyword. To save the request informationto a local file, use the pki request-certificate domain command with the pkcs10 filenamefilename keyword and argument combination.z Make sure the clocks of the entity and the CA are synchronous. Otherwise, the validity period of thecertificate will be abnormal.z The pki request-certificate domain configuration will not be saved in the configuration file.Retrieving a Certificate ManuallyYou can download an existing CA certificate, or local certificate, from the CA server and save it locally.To do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate byan out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.Certificate retrieval serves two purposes:z Locally store the certificates associated with the local security domain for improved query efficiencyand reduced query count,z Prepare for certificate verification.Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.Follow these steps to retrieve a certificate manually:To do… Use the command… RemarksEnter system view system-view —Online pki retrieval-certificate { ca | local }domain domain-nameRetrieve acertificatemanually Offlinepki import-certificate { ca | local }domain domain-name { der | p12 | pem }[ filename filename ]RequiredUse eithercommand.