No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring CA Certificate Fingerprint

Configuring CA Certificate Fingerprint


Before the device obtains a CA certificate, the device needs to check the CA certificate fingerprint to ensure that the content of the certificate is not tampered by unauthorized users. The CA certificate fingerprint is unique to each certificate. If the CA certificate fingerprint is different from the fingerprint configured in a specified PKI domain, the device refuses the issued certificate.

  • A CA certificate fingerprint is usually sent to the device in outband mode (for example, through phone call, disk, or email).

  • If a certificate is applied for in automatic mode, the CA certificate fingerprint must be configured. If a certificate is applied for in manual mode, the configuration of the CA certificate fingerprint is optional. If the CA certificate fingerprint is not configured, users must authenticate the CA certificate fingerprint by themselves.


  1. Run:


    The system view is displayed.

  2. Run:

    pki realm realm-name

    The PKI domain view is displayed.

  3. Run:

    fingerprint { md5 | sha1 | sha2 } fingerprint

    The CA certificate fingerprint used in CA certificate authentication is configured.

    By default, no CA certificate fingerprint is configured on the device.


    Calculating a CA certificate fingerprint using MD5 or SHA1 has security risks.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13714

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next