The controller can use RPC Install to install a new certificate on the server. After the certificate is installed, the server must be configured (assign a certificate and key files in the CERT profile) before the new certificate can be used.
The following two possible cases are supported for installing a certificate:
server capable of generating a CSR (see Figure: RPC install message flow for CSRs generated on the SR OS node)
server is not capable of generating a CSR (see Figure: RPC install message flow if CSRs are not generated on the SR OS node)
The SR OS supports both scenarios, although it is assumed that in most cases the CSR is generated on the SR OS node.
Both scenarios require the following steps:
Generate the CSR.
Sign the CSR by the Certificate Authority (CA).
Load the new certificate on the server.
The message exchange during phases 1 and 3 is the same as shown in Figure: GenerateCSR message flow and Figure: LoadCSRRequest/Response message flow. The only difference, in the case of RPC Install, is that, a new certificate_id is used.
After new certificates are installed, the system must be configured before it can be used. Configuration is supported using the following methods:
an existing gRPC session
a CLI session, SNMP, or NETCONF