To Next Page

To Previous Page

503

Usage guidelines

If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate,

you must configure the fingerprint for CA certificate verification. When an application, like IKE,

triggers the device to request local certificates, the device automatically performs the following

operations:

1. Obtains the CA certificate from the CA server.

2. Verifies the fingerprint contained in the CA certificate with the one configured in the PKI domain.

If the two fingerprints do not match, or no fingerprint is configured in the PKI domain, the device

rejects the CA certificate and the local certificate request fails.

The fingerprint configured by this command is also used for CA certificate verification when the

device performs the following operations:

• Imports the CA certificate as requested by the pki import command.

• Obtains the CA certificate as requested by the pki retrieve-certificate command.

The device automatically verifies the fingerprint of the CA certificate to be imported or obtained

against that configured in the PKI domain. If the two fingerprints do not match, the device rejects the

CA certificate. If no fingerprint is configured in the PKI domain, the device prompts you to manually

verify the fingerprint of the CA certificate to be imported or obtained.

Examples

# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only in

non-FIPS mode.)

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] root-certificate fingerprint md5

12EF53FA355CD23E12EF53FA355CD23E

# Specify an SHA1 fingerprint for verifying the root CA certificate.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] root-certificate fingerprint sha1

D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

Related commands

certificate request mode

pki import

pki retrieve-certificate

rule

Use rule to create an access control rule.

Use undo rule to remove an access control rule.

Syntax

rule [ id ] { deny | permit } group-name

undo rule id

Default

No access control rules exist.

Views

Certificate-based access control policy view

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS