No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Importing a Certificate

Importing a Certificate


A PKI domain has been created using the pki realm (System view) command.


After obtaining an external certificate through outband mode, you need to import the certificate to the device. The imported certificate can be a CA certificate or a local certificate with the private key. The device supports two certificate import modes:
  • File transfer mode: Upload the certificate file to the device through FTP or TFTP, and then import the file to the device memory. This mode applies to certificates in the PEM, PFX (PKCS#12, P12 for short), or DER format.
  • Terminal mode: Enter the certificate contents directly on the terminal screen, or open the certificate file using a text editor and copy the certificate contents on the terminal screen. This mode applies only to certificates in the PEM format.

Users are advised to specify whether private keys of imported certificates can be exported before importing certificates. Generally, a user needs to export the certificate and private key simultaneously only when the user backs up a local certificate. In most scenarios, the user only needs to export the certificate to obtain the public key. If private key exporting is prohibited, private key disclosure can be prevented because unauthorized users cannot export private keys.


  1. Run:


    The system view is displayed.

  2. (Optional) Specify whether the private key of a local certificate can be exported.
    1. (Optional) Run:

      pki realm realm-name

      The PKI domain (non-default domain) view is displayed.

      If self-signed certificate obtaining is specified in a PKI domain, such as the PKI domain default, the private key of certificate cannot be exported. You cannot modify this configuration.

    2. (Optional) Run:


      A user is prohibited from exporting the private key of a local certificate.

      By default, a user is allowed to export the private key of a local certificate.

      If this command is configured before a certificate is imported, this command takes effect. If private keys already exist in a domain before this command is configured, it does not take effect.

    3. (Optional) Run:


      Return to the system view.

  3. Configure the certificate import function using either of the following methods:
    1. Run:

      pki import-certificate { ca | local | ocsp } pki-realm-name { der | pkcs12 | pem }

      The external certificate is imported to the device through file transfer mode.

    2. Run:

      pki import-certificate  name pki-realm-name  pem terminal password password-value

      The external certificate is imported to the device through terminal mode.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13444

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next