No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Creating a PKI Domain

Creating a PKI Domain


A PKI domain is a set of identity information required when a PKI entity enrolls a certificate. A PKI domain allows other applications, such as Internet Key Exchange (IKE) and Secure Sockets Layer (SSL), to reference the PKI configuration easily.


  1. Run:


    The system view is displayed.

  2. Run:

    pki realm realm-name

    A PKI domain is created.

    By default, the PKI domain default exists on the device.

  3. (Optional) Run:

    enrollment self-signed

    Self-signed certificate obtaining is configured for the PKI domain.

    By default, the certificate in a PKI domain, except the default PKI domain, is obtained in SCEP mode.


    The default certificate obtaining method for the PKI domain default is self-signed.

  4. (Optional) Run:

    usage { ike | ssl-client | ssl-server } *

    The usage information of the key is added to the certificate request packet.

    By default, the certificate request packet does not contain the usage information of the key.

    When the device connects to certain CA servers, run the verisign usage-extension command to configure the certificate enrollment request carrying the key usage option defined by VeriSign. This option is used to describe the usage of the key.

    By default, the certificate enrollment request does not carry the key usage option defined by VeriSign.

  5. (Optional) Run:

    vpn-instance vpn-instance-name

    The PKI domain is added to the specified VPN.

    By default, a PKI domain does not belong to any VPN.


    Before adding a PKI domain to a VPN, complete the following tasks:

    1. A VPN instance has been created using the ip vpn-instance command.
    2. The RD is configured for the VPN instance address family using the route-distinguisher command.

  6. (Optional) Run:

    enrollment-request specific

    The device is configured to use a certificate request packet of the specific format to apply for a certificate from the CA server.

    By default, the device uses a certificate request packet of the standard format to apply for a certificate from the CA server.

  7. (Optional) Run:

    validate time disable

    The device is disabled from verifying the time during PKI certificate verification.


    Only and AR503GW-LM7 support this configuration.

    By default, the device verifies the time during PKI certificate verification.

    The device verifies the time during PKI certificate verification. If the time does not match, the PKI certificate verification fails. If the device does not support the clock synchronization function and restarts due to causes such as power-off, the system time is restored to the factory setting and an error occurs in PKI certificate verification. To avoid this problem, the administrator can run this command to disable the device from verifying the time during PKI certificate verification.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13528

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next