Certificate enrollment

The SR OS supports two certificate enrollment methods:

• off-line method via PKCS#10

• on-line method via CMPv2

The off-line method works as follows:

1. Generate a key pair via the command admin certificate gen-keypair

   For example:

   admin certificate gen-keypair cf3:/segw.key size 2048 type rsa

2. Generate a PKCS#10 certificate signing request with the key generated in the step mentioned above via the admin certificate gen-local-cert-req command.

   For example:

   admin certificate gen-local-cert-req keypair cf3:/segw.key subject-dn

   C=US,ST=CA,O=ALU,CN=SeGW domain-name segw-1.alu.com file cf3:/segw.pkcs10

   The user specifies the subject of certificate request and optionally can also specify a FQDN or an IP address as SubjectAltName.

3. Import the key file via the admin certificate import command.

   For example:

   admin certificate import type key input cf3:/segw.key output segw.key format de

4. Because the key is imported, remove the key file generated in the first step for security reasons.

5. Send the PKCS#10 file to CA via an offline method such as e-mail.

6. CA signs the request, and returns the certificate.

7. Import the result certificate the admin certificate import command.

   For example:

   admin certificate import type cert input cf3:/segw.cert output segw.cert format pem

For CMPv2-based enrollment, see CMPv2.