No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Failed to Obtain a CA Certificate

Failed to Obtain a CA Certificate

Common Causes

This fault is commonly caused by one of the following:
  • A fault occurs on the network connection, for example, the network cable is broken or not properly connected.
  • The CA certificate is not given a trusted name.
  • The RA server URL is not correct or not configured.
  • The enrollment mode (CA or RA) is incorrect.
  • No RA server is configured for the certificate enrollment.
  • The fingerprint for the CA certificate is configured incorrectly.
  • The device system clock does not synchronize with the CA clock.

Troubleshooting Flowchart

Figure 22-14 shows the troubleshooting flowchart.

Figure 22-14  Troubleshooting flowchart for a failure to obtain a CA certificate

Troubleshooting Procedure


  1. Ensure that the network connection between the device and RA server functions properly.
  2. Verify that mandatory parameters are configured correctly.

    Run the display pki realm command to check whether mandatory parameters in the PKI domain are configured correctly.

    If the CA ID is configured incorrectly, the CA certificate may fail to be obtained.

    If the certificate's enrollment URL is configured incorrectly, the CA certificate may fail to be obtained.

    If an incorrect fingerprint is configured in the PKI domain, the device cannot obtain the CA certificate. If no fingerprint is configured, the system prompts the user to enter the fingerprint.

    Verify that the enrollment mode is correct. To obtain a certificate from an RA server, use the RA enrollment mode. To obtain a certificate from a CA server, use the CA enrollment mode. If the preceding configurations are all correct, but the fault persists, go to step 3.

  3. Run the ping command to check the connection between the device and the enrollment server.

    If the device is properly connected to the enrollment server, but the fault persists, go to step 4.

  4. Check the authority in charge of certificate enrollment.

    Check whether the RA or CA is configured correctly. If not, modify the configuration.

    If the fault persists, go to step 5.

  5. Check whether the device clock synchronizes with the RA or CA clock.

    If not, configure the device to synchronize with the RA or CA clock.

    If the fault persists, go to step 6.

  6. Collect the following information and contact technical support personnel.

    • Results of the preceding troubleshooting procedure
    • Configuration files, log files, and alarm files of the device

Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 456580

Downloads: 4321

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next