No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSL Policy and Loading a Digital Certificate

Configuring an SSL Policy and Loading a Digital Certificate

Context

To avoid potential security risks, you can acquire a trust digital certificate and a private key file from the CA and manually configure an SSL policy.

The device supports certificates in PEM, ASN1, and PFX formats. Certificates have the same content regardless of format.
  • The PEM (.pem) digital certificate is most commonly used. It applies to text transmission between systems.
  • The ASN1 (.der) format is a universal digital certificate format and the default format for most browsers.
  • The PFX (.pfx) format is a universal digital certificate format and a binary format that can be converted into PEM or ASN1 format.

Procedure

  1. Upload the digital certificate and private key file.

    You can upload the digital certificate and private key file using SFTP or other modes and save them to the security directory. If this directory does not exist, run the mkdir security command to create it. For procedure on uploading files, see Local File Management.

    NOTE:

    After the files are uploaded to the device, run the dir command in the user view to check if the uploaded files are the same size as those on the file server. If not, an error may have occurred. Upload the files again.

  2. Configure an SSL policy and load the digital certificate.
    1. Run:

      system-view

      The system view is displayed.

    2. (Optional) Customize SSL cipher suite.

      1. Run:

        ssl cipher-suite-list customization-policy-name

        An SSL cipher suite policy is customized and the view of the cipher suite policy is displayed. If the SSL cipher suite policy already exists, the command directly displays its view.

        By default, no customized SSL cipher suite policy is configured.

        To improve system security, the device only supports secure algorithms. To improve compatibility, the device also allows you to customize cipher suite policies. To customize a cipher suite policy, run the ssl cipher-suite command.

      2. Run:

        set cipher-suite { tls1_ck_rsa_with_aes_256_sha | tls1_ck_rsa_with_aes_128_sha | tls1_ck_rsa_rc4_128_sha | tls1_ck_dhe_rsa_with_aes_256_sha | tls1_ck_dhe_dss_with_aes_256_sha | tls1_ck_dhe_rsa_with_aes_128_sha | tls1_ck_dhe_dss_with_aes_128_sha | tls12_ck_rsa_aes_256_cbc_sha256 }

        The cipher suite for a customized SSL cipher suite policy is configured.

        By default, no customized SSL cipher suite policy is configured.

        To configure cipher suites for a customized SSL cipher suite policy, run the ssl cipher-suite-list command.

        If a customized SSL cipher suite policy is being referenced by an SSL policy, the cipher suites in the customized cipher suite policy can be added, modified, or partially deleted. Deleting all of the cipher suites is not allowed.

      3. Run:

        quit

        Return to the system view.

    3. Run:

      ssl policy policy-name

      An SSL policy is created and the SSL policy view is displayed.

    4. (Optional) Run:

      ssl minimum version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

      The minimum version of an SSL policy is set.

      By default, the minimum version of an SSL policy is TLS1.1.

    5. (Optional) Run:

      binding cipher-suite-customization customization-policy-name

      A customized SSL cipher suite policy is bound to an SSL policy.

      By default, no customized cipher suite policy is bound to an SSL policy. Each SSL policy uses a default cipher suite.

      After a customized cipher suite policy is unbound from an SSL policy, the SSL policy uses one of the following default cipher suites:

      • tls1_ck_rsa_with_aes_256_sha
      • tls1_ck_rsa_with_aes_128_sha
      • tls1_ck_dhe_rsa_with_aes_256_sha
      • tls1_ck_dhe_dss_with_aes_256_sha
      • tls1_ck_dhe_rsa_with_aes_128_sha
      • tls1_ck_dhe_dss_with_aes_128_sha
      • tls12_ck_rsa_aes_256_cbc_sha256

      After a customized SSL cipher suite policy is bound to an SSL policy, the device uses an algorithm in the specified cipher suite to perform SSL negotiation.

      The customized cipher suite policy to be bound to an SSL policy contains cipher suites.

      If the cipher suite contains only one type of algorithm (RSA or DSS), the corresponding certificate must be loaded for the SSL policy. This facilitates SSL negotiation.

    6. Load the digital certificate and specify the private key file.

      Only one certificate or certificate chain can be loaded to an SSL policy. (A certificate chain is a list of trust certificates, starting from end entity's certificate and ending at the root CA certificate.) If a certificate or certificate chain has been loaded, run the undo certificate load command to unload the old certificate or certificate chain before loading a new one. Select the corresponding configuration based on the certificate type.

      NOTE:

      When loading a certificate or certificate chain to an SSL policy, ensure that the length of the key pair in the certificate or certificate chain does not exceed 2048 bits. If the key pair length exceeds 2048 bits, the certificate or certificate chain cannot be uploaded to the device.

      • Load a PEM certificate or certificate chain. Run either of the following commands based on whether a user obtains a digital certificate or certificate chain from the CA.
        • Run:

          certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code 

          A PEM digital certificate is loaded and the private key file is specified.

        • Run:

          certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code

          A PEM certificate chain is loaded and the private key file is specified.

      • Run:

        certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename

        An ASN1 digital certificate is loaded and the private key file is specified.

      • Run:

        certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code

        A PFX digital certificate is loaded and the private key file is specified.

      NOTE:

      Before rolling V200R008 or a later version back to an earlier version, back up the SSL private key file.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141895

Views: 58459

Downloads: 215

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next