No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Importing Certificates Manually

Example for Importing Certificates Manually

Networking Requirements

An enterprise has bought the following certificates from a branch of the International Association of Professional Certification (IAOPC):
  • localcert.pem: local certificate, which can be used as the identity information of a device to ensure device security.
  • privatekey.pem: private key file of the local certificate, using abcd@huawei20091201 as the password.
  • middlecert.pem: CA certificate (level-3 CA certificate) issued by the subordinate CA server, which verifies the validity of the device certificate.
  • crosscert.pem: CA certificate (level-2 CA certificate) issued by the root CA server, through which the CA server verifies the validity of the level-3 CA certificate.

As shown in Figure 15-8, the administrator needs to import the certificates to the device so that the applications such as SSL can reference the certificates.

Figure 15-8  Importing certificates manually

Configuration Roadmap

  1. Create a PKI domain so that the applications such as SSL can reference the PKI configurations.
  2. Import the local certificate to the device so that the device can encrypt and sign on the data and securely communicate with other devices.
  3. Import the CA certificates to the device to verify the validity of the local certificate.
NOTE:

Ensure that the crosscert.pem, localcert.pem, middlecert.pem, and privatekey.pem files have been loaded to the device through FTP or SFTP.

Procedure

  1. Create a PKI domain.

    <Huawei> system-view
    [Huawei] pki realm abc
    [Huawei-pki-realm-abc] quit

  2. Import the local certificate.

    # Import the local certificate localcert.pem and private key privatekey.pem.

    [Huawei] pki import-certificate local abc pem
     Please enter the name of certificate file <length 1-127>: localcert.pem
     You are importing a local certificate,
     You can directly enter "Enter" only the local certificate getting by pkcs10 message in security realm
     Please enter the name of private key file <length 1-127>: privatekey.pem
     Please enter the type of private key file(pem , p12 , der): pem
     The current password is required, please enter your password <length 1-31>: ******************* 
     Successfully imported the certificate. 

  3. Import the CA certificates.

    # Import the CA certificate middlecert.pem issued by the subordinate CA server.

    [Huawei] pki import-certificate ca abc pem
     Please enter the name of certificate file <length 1-127>: middlecert.pem           
      The CA's Subject is C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV SSL CA          
      The CA's fingerprint is:         
        MD5  fingerprint: f4858289  ead55c53  b36d4b55  3f267837
        SHA1 fingerprint: bae30b15  dbb1544c  f194d076  b75b7bb9  e3d6b760
      Is the fingerprint correct? [Y/N]: y   
     Successfully imported the certificate.

    # Import the CA certificate crosscert.pem issued by the root CA server.

    [Huawei] pki import-certificate ca abc pem
     Please enter the name of certificate file <length 1-127>: crosscert.pem
      The CA's Subject is C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA
      The CA's fingerprint is:          
        MD5  fingerprint: 2e7db2a3  1d0e3da4  b25f49b9  542a2e1a          
        SHA1 fingerprint: 7359755c  6df9a0ab  c3060bce  369564c8  ec4542a3 
      Is the fingerprint correct? [Y/N]: y          
     Successfully imported the certificate.
    

  4. Verify the configuration.

    After the configurations are complete, run the display pki certificate local and display pki certificate ca command on the device to view the imported local certificate and CA certificates.

    [Huawei] display pki certificate local abc
    Certificate
      Status : Available
      Version: 3
      Serial Number:
        07 1e 39
      Subject:
        OU=GT51268791
        CN=securelogin.huawei.com
    
      Associated Pki Realm : abc
    
    Total Number: 1  
    [Huawei] display pki certificate ca abc
    CA certificate
      Status : Available
      Version: 3
      Serial Number:
        12 bb e6
      Subject:
        C=US
        O=GeoTrust Inc.
        CN=GeoTrust Global CA
    
      Associated Pki Realm : abc
    
    CA certificate
      Status : Available
      Version: 3
      Serial Number:
        02 36 d2
      Subject:
        C=US
        O=GeoTrust Inc.
        OU=Domain Validated SSL
        CN=GeoTrust DV SSL CA
    
      Associated Pki Realm : abc
    
    Total Number: 2  

Configuration Files

Configuration file of the Router

#
pki realm abc
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13558

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next