225
• Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
available, display and copy the contents of a certificate to a file on the device. Make sure the
certificate is in PEM format because only certificates in PEM format can be imported.
• To import a certificate, a CA certificate chain must exist in the PKI domain, or be contained in the
certificate. If the CA certificate chain is not available, obtain it before importing the certificate.
Configuration guidelines
• To import a local certificate containing an encrypted key pair, you must provide the challenge
password. Contact the CA administrator to obtain the password.
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and
local certificates first.
• If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite
the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and
the other for encryption.
• If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
• The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA
server.
Configuration procedure
To obtain certificates:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Obtain certificates.
• Import certificates in offline mode:
pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local
filename filename | pem { ca | local | peer }
[ filename filename ] }
• Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
The pki
retrieve-certificate
command is not saved
in the configuration
file.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested or
obtained.
To Next Page
Loading...
Need help?
General