280
• Use a certificate that is packed with the server generated key pair in a single file. Only certificate
files in PKCS12 or PEM format might contain key pairs.
Before you import the certificates, complete the following tasks:
• Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
available, you can import the certificates by copying and pasting the certificate contents through
the terminal. In this case, make sure the certificate is in PEM format because only certificates in PEM
format can be imported by this means.
• For the local certificates or peer certificates to be imported, the proper CA certificate chain must
exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer
certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA
certificate chain, you must import the CA certificate first. To import a local or peer certificate, a CA
certificate chain must exist in the PKI domain, or be carried in the local or peer certificate. If not,
obtain it first.
When you import the local certificates or peer certificates:
• If the local certificates or peer certificates to be imported contain the CA certificate chain, you can
import the CA certificate and the local certificates or peer certificates at the same time. If the
certificate of the CA that issues the local certificates or peer certificates already exists in a PKI
domain, the system displays a prompt to ask you whether to overwrite the existing CA certificate.
• If the local certificates or peer certificates to be imported do not contain the CA certificate chain,
but the certificate of the CA that issues the local certificate or peer certificate already exists in a PKI
domain, you can directly import the local certificates or peer certificates.
When you import the CA certificate:
• If the CA certificate to be imported is the CA root certificate or contains the certificate chain with the
root certificate, you can import the CA certificate.
• If the CA certificate to be imported contains a certificate chain without the root certificate, but can
form a complete certificate chain with the CA certificate on the device, you can import the CA
certificate. Otherwise, you cannot import it.
Contact the CA server administrator to get proper information in the following scenarios:
• If the certificate file to be imported contains the root certificate, but the root certificate and its
fingerprint are not specified on the device, the system asks you to confirm the fingerprint.
• If the local certificate to be imported contains a key pair, the system asks you to enter the challenge
password used for encrypting the private key.
When you import a local certificate file that contains a key pair, you can choose to update the domain
with the key pair. Depending on the purpose, the following conditions apply:
• If the purpose of the key pair is general, the device uses the key pair to replace the local key pair
that is found in this order: general-purpose key pair, signature key pair, and encryption key pair.
• If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair
that is found in this order: general-purpose key pair and signature key pair.
• If the purpose of the key pair is encryption, the device searches the domain for an encryption key
pair.
If a proper key pair name is found, the device displays a prompt to ask you whether to overwrite the
existing key pair on the device. If it does not find a proper key pair name, the device asks you to enter
a key pair name (defaulting to the PKI domain name) and then generates a proper key pair according
to the algorithm and the purpose of the key pair defined in the certificate file.
To Next Page
Loading...
Need help?
General
