Certificate Update Tasks

Prerequisites

• The parameters for interconnecting with the CA have been configured. For details, see Configuring CA Interconnection Parameters.
• You have the following permissions: Query Certificate Application Task and Manage Certificate Application Task.
• You have obtained the certificate format, validity period, key algorithm, key length, certificate type, key usage, and extended key usage from the interconnected CA, ensuring that the planned certificate information is correct.
• You have obtained the information about the certificate, such as the certificate format, common name (CN), country or region (C), province or state (ST), city (L), organization (O), department (OU), validity period, key algorithm, and key length, subject alternative name, certificate type, key usage, and extended key usage.

Context

• The time difference between NetEco and the CA must be less than 5 minutes. Otherwise, the certificate application fails.
• For security purposes, the password must meet the following complexity requirements:
  • Contain 8 to 64 characters.
  • Contain at least three of the following: lowercase letters, uppercase letters, digits, and special characters. Only the following special characters are allowed: ~@#^*-_+[{}]:./?
• The validity period of a certificate applied from the CA is jointly determined by the customized validity period, validity period of the CA root certificate, maximum validity period supported by the CA, and validity period of the application template supported by the CA. Generally, the validity period does not exceed the maximum validity period supported by the CA and the validity period of the application template supported by the CA. The actual validity period depends on the interconnected CA.
• Table 1 describes the certificate formats, key algorithms, key lengths, certificate types, key usages, and extended key usages supported by certificate management.

  Table 1 Certificate information

  Parameter	Description
  Certificate format	Format of the certificate. PEM PKCS12
  Key algorithm	Key algorithm of the certificate. RSA ECDSA NOTE: RSA whose length is 2047 bits or shorter is insecure. You are advised to use the certificate encrypted by RSA whose length is 3072 bits or longer.
  Key length	Length of the RSA certificate key: 2048 3072 4096 6144 8192 Length of the ECDSA certificate key: 256 384 521
  Certificate type	Type of the certificate. End Entity: Select this type if you do not need to use the key corresponding to the certificate to issue the certificate. CA: Select this type when you need to use the corresponding key to issue a certificate.
  Key usage	Usage of the certificate key. Digital signature: Select this usage if the certificate requires identity authentication and data integrity authentication. Non-repudiation: Select this usage if the certificate requires authentication on the digital signature of the public key to prevent the signing entity from denying its requests. Key encipherment: Select this usage if the certificate requires an encryption protocol. Data encipherment: Select this usage if the certificate encrypts its application data. Key agreement: Select this usage if the public key is used by the sender and receiver to encrypt data during communication through plaintext agreement. Certificate signing: Select this usage if the public key authenticates the certificate signature. It can only be used as a proxy certificate. CRL signing: Select this usage if the public key of the certificate is used to verify the signature on the revocation information. Encipher only: Select this usage if Key agreement is selected. The public key is used only for encrypting data during the agreement. Decipher only: Select this usage if Key agreement is also selected. The public key is used only deciphering data during the key agreement.
  Extended key usage	Extended usage of the certificate key. Server authentication: TLS WWW server authentication. Select this usage when Digital signature, Key encipherment, or Key agreement in Key usage is selected. Client authentication: TLS WWW client authentication. Select this usage when Digital signature or Key agreement in Key usage is selected. Email protection: Email protection. Select this usage when the Digital signature, Non-repudiation, Key encipherment, or Key agreement in Key usage is selected.

Procedure

1. Choose System > About > Certificate Management from the main menu.
2. In the navigation pane, choose Online Certificate Update > Certificate Update Tasks.
3. Click Create.
4. Select the update mode as required.
   • Updating using an existing template
     1. (Optional) Create a certificate application template. For details, see Creating Certificate Application Templates.
     2. Select a template from the Template drop-down list.
     3. Configure the parameters as required.
        

        After a certificate application template is selected, you can change the values of some parameters as required. For example, the validity period set in the certificate application template is five years, but the required validity period of the new certificate is 10 years, you can set the validity period to 10 years when creating a certificate update task.

   • Updating without a template

     Configure the parameters as required.

5. Click OK.
6. In the list of certificate update tasks, check Task Status of the created task.
   • Pending: The certificate update task is applying for a new certificate. Refresh the page to view the latest task status.
   • Success: The certificate update task is created successfully.
   • Failed: The certificate update task fails to be created. Rectify the fault based on the failure causes. In the Operation column of the row, click Query Failure Causes. In the dialog box that is displayed, click Details and rectify the fault based on the details. If the problem persists, contact technical support.

7. (Optional) To apply the obtained certificate to services, perform 7.a to 7.c.
   1. Click in the Operation column of the row that contains the certificate.
   2. Select the services to which you want to apply the certificates.
   3. Click OK.
   4. In the High Risk dialog box, read the information carefully and confirm whether to apply certificate to services.
      • If yes, select I understand the risk and want to continue, click OK, and go to 7.e.
      • If no, click Cancel.
   5. Check whether the certificate is successfully applied to the corresponding service.

      If the message Certificates applied to services successfully. is displayed, the certificate is successfully applied to the service. Click OK. Otherwise, handle the problem according to the information in the dialog box.

      

      The certificate of APIMLBService takes effect only after the service is restarted.