No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring PKI

Configuring PKI

Preconfiguring a Local Certificate

Configuring a PKI Entity

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. PKI entity information contains the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. Therefore, the PKI entity must send the certificate enrollment request carrying PKI entity information to the CA when applying for a local certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki entity entity-name

    A PKI entity is created and the PKI entity view is displayed; or the PKI entity view is displayed directly.

    By default, no PKI entity is configured.

    NOTE:

    Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

  3. Run common-name common-name

    A common name is configured for the PKI entity.

    By default, no common name is configured for a PKI entity.

    To uniquely identify an applicant, you can run the following optional commands to configure the alias name for the PKI entity. If you do not configure alias names for the PKI entities that have the same common name, each of them will fail to apply for a certificate.

  4. (Optional) Run ip-address { ipv4-address | interface-type interface-number }

    An IP address is configured for the PKI entity.

    By default, no IP address is configured for a PKI entity.

  5. (Optional) Run fqdn fqdn-name

    A fully qualified domain name (FQDN) is configured for the PKI entity.

    By default, no FQDN name is configured for a PKI entity.

  6. (Optional) Run email email-address

    An email address is configured for the PKI entity.

    By default, no email address is configured for a PKI entity.

  7. (Optional) Run country country-code

    A country code is configured for the PKI entity.

    By default, no country code is configured for a PKI entity.

  8. (Optional) Run locality locality-name

    A geographic area is configured for the PKI entity.

    By default, no geographic area is configured for a PKI entity.

  9. (Optional) Run state state-name

    A state name or province name is configured for the PKI entity.

    By default, no state name or province name is configured for a PKI entity.

  10. (Optional) Run organization organization-name

    An organization name is configured for the PKI entity.

    By default, no organization name is configured for a PKI entity.

  11. (Optional) Run organization-unit organization-unit-name

    A department name is configured for the PKI entity.

    By default, no department name is configured for a PKI entity.

Configuring an RSA Key Pair

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. Therefore, before applying for a local certificate, you must configure the RSA key pair to generate public and private keys. The public key is sent by the PKI entity to CA, and the peer uses this key to encrypt plaintext. The private key is kept by the PKI entity itself, and the PKI entity uses it to digitally sign and decrypt the ciphertext from peer.

You can configure an RSA key pair using either of the following methods:

  • Create an RSA key pair.

    You can directly create a key pair on the device, removing the need to import the key pair to the device memory.

  • Import an RSA key pair.

    To use the key pair generated by another PKI entity, upload the key pair to the device through FTP or SFTP and then import it into the device memory. Otherwise, the key pair does not take effect on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run the following commands as required.
    • Create an RSA key pair.

      Run pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]

      An RSA key pair is created to apply for a local certificate.

    • Import an RSA key pair.

      Run pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ exportable ] [ password password ] or pki import rsa-key-pair key-name der file-name [ exportable ]

      The specified RSA key pair and certificate in the specified file are imported into the device memory.

      NOTE:

      Only when the exportable parameter is specified in the command, the imported RSA key pair can be exported.

      Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

Follow-up Procedure
  • To back up RSA key pairs or use RSA key pairs on other devices, run the pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password command to export the specified RSA key pair into the device memory. In addition to the RSA key pair, its associated certificate will also be exported. Subsequently, the RSA key pair can be obtained using FTP or SFTP.

  • When RSA key pairs are leaked, damaged, lost or not used, run the pki rsa local-key-pair destroy key-name command to destroy a specified RSA key pair.

    After this command is executed, the specified RSA key pair is deleted from the active device, and it is also deleted from the standby device.

  • To check the RSA key pair corresponding to a certificate, run the pki match-rsa-key certificate-filename file-name command to configure a device to search for the RSA key pair associated with a specific certificate.

Configuring a PKI Entity to Obtain a CA Certificate

Context

When applying for a local certificate, the PKI entity sends the certificate enrollment request to the CA. To improve transmission security, the PKI entity must use the CA's public key to encrypt the certificate enrollment message. Therefore, the PKI entity must have the CA's certificate and obtain the public key from the CA certificate.

Configuration Procedure

A PKI entity must download and then install a CA certificate.

Downloading a CA Certificate for a PKI Entity

Context

Three methods are available to download a CA certificate, depending on the service types provided by the CA:

  • Download the CA certificate from the CA server through SCEP into the device storage.

  • Download the CA certificate from the web server to the device storage through HTTP.

  • Obtain the CA certificate in an outbound way (web, disk, or email) and then upload it to the device storage.

Procedure

  • Download a CA certificate through SCEP.

    For the configuration about downloading CA certificate through SCEP, see Applying for and Updating the Local Certificate Through SCEP.

  • Download a CA certificate through the Hypertext Transfer Protocol (HTTP).
    1. Run system-view

      The system view is displayed.

    2. Run pki http [ esc ] url-address save-name

      A CA certificate is downloaded through HTTP.

      url-address must include a complete certificate file name and file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  • Download a CA certificate in an outbound way.

    After you obtain a CA certificate in an outbound way (web, disk, or email), manually upload it to the device storage. You can also download a CA certificate through the administrator's PC and then upload it to the device storage through FTP or SFTP, or web system.

(Optional) Installing a CA Certificate for a PKI Entity

Context

A downloaded CA certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

NOTE:

To prevent a failure to install the CA certificate, ensure that the CA certificate file size does not exceed 1 MB.

When the SCEP is used, the device automatically installs the CA certificate, and you do not need to manually install the CA certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate ca realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ] or pki import-certificate ca realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

    The CA certificate is imported into the device memory.

  3. (Optional) Run pki set-certificate expire-prewarning day

    The expiry prewarning time of the CA certificate in the device memory is configured.

    The default expiry prewarning time of the CA certificate in the device memory is 7 days.

Follow-up Procedure
  • To copy a CA certificate to another device, run the pki export-certificate ca realm realm-name { der | pem | pkcs12 } [ filename filename ] command. Subsequently, the CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • To copy a default built-in CA certificate to another device, run the pki export-certificate default ca filename filename command. Subsequently, the default built-in CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • If a CA certificate expires or is not in use, run the pki delete-certificate ca realm realm-name command to delete the CA certificate from the device memory.

Verifying the Local Certificate Preconfiguration

Prerequisites

A PKI entity, an RSA key pair, and a CA certificate have been configured.

Procedure

  • Run the display pki entity [ entity-name ] command to check PKI entity information.
  • Run the display pki rsa local-key-pair { pem | pkcs12 } filename [ password password ] command to check RSA key pair information.
  • Run the display pki rsa local-key-pair [ name key-name ] public [ temporary ] command to check RSA public key information.
  • Run the display pki realm [ realm-name ] command to check PKI realm information.
  • Run the display pki certificate ca realm realm-name command to check the loaded CA certificate.
  • Run the display pki credential-storage-path command to check the default path where a PKI certificate is stored.
  • Run the display pki ca-capability realm realm-name command to check the CA capabilities of a PKI domain.

Applying for and Updating Local Certificate

Prerequisites

The Preconfiguring a Local Certificate is complete.

Configuration Procedure

Select one of the following methods to apply for and update a local certificate.

Applying for and Updating the Local Certificate Through SCEP

Context

Two methods are available to apply for the local certificate for a PKI entity through the Simple Certificate Enrollment Protocol (SCEP):

  • Automatic local certificate application and update

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device automatically applies for the local certificate through SCEP. Alternatively, if the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device automatically applies for and updates the local certificate through SCEP.

  • Manual local certificate application

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device is manually triggered to apply for the local certificate through SCEP. If the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device does not automatically apply for and update the local certificate through SCEP.

When you use either of the two methods to apply for the local certificate, the device obtains the CA certificate, saves it to the device storage and automatically imports it to the device memory. Then the device uses the public key in the CA certificate to encrypt its local certificate enrollment request and sends it to CA to apply for a local certificate. Finally the device saves the local certificate to the device storage and imports it to the device memory automatically.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki file-format { der | pem }

    The file format in which the device stores the certificate is configured.

    By default, the device stores the certificate into a PEM file.

  3. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  4. Run ca id ca-name

    A trusted CA is configured for the PKI realm.

    By default, no trusted CA is configured for a PKI realm.

    ca-name specifies the name of a CA server.

  5. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  6. Run rsa local-key-pair key-name

    The RSA key pair used in SCEP-based certificate application is configured.

    By default, the RSA key pair used in SCEP-based certificate application is not configured.

    The RSA key pair specified by key-name must have been created using the pki rsa local-key-pair create command.

  7. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  8. (Optional) Run source interface interface-type interface-number

    The source interface used in TCP connection setup is specified.

    By default, the source interface used in a TCP connection is an egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  9. (Optional) Run enrollment self-signed

    Self-signed certificate obtaining is configured for the PKI realm.

    By default, the certificate in a PKI realm, except the default PKI realm, is obtained in SCEP mode.

    The default certificate obtaining for the PKI realm default is self-signed.

    To implement default HTTPS functions or allow users to access the network temporarily, run this command.

  10. Run enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]

    A CA server URL is configured.

    By default, the CA server URL is not configured.

    Pay attention to the following points:

    • If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.

      server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.

    • If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.

      The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://abc.com?page1, the corresponding URL is http://abc.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.abc.com?page1\x3f), the corresponding URL is http://www.abc.com\x3fpage1\\x3f.

    • If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times parameters.

    • If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.

  11. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    SHA2 algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  12. Run password cipher password

    The challenge password used in SCEP certificate application is configured. The challenge password is also called certificate revocation password.

    By default, the challenge password used in SCEP certificate application is not configured.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  13. Run fingerprint { md5 | sha1 | sha256 } fingerprint

    The CA certificate fingerprint used in CA certificate authentication is configured.

    By default, the CA certificate fingerprint used in CA certificate authentication is not configured.

    The fingerprint needs to be obtained offline from a CA server. For example, when Windows Server 2008 functions as the CA server, access the web page address http://host:port/certsrv/mscep_admin/ to obtain the CA certificate fingerprint. In the web page address, host specifies the CA server's IP address, and port specifies the CA server's port number.

  14. Configure the local certificate application and update mode.
    • Configure automatic application and update of local certificate.

      Run auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]

      The automatic certificate application and update function is enabled.

      By default, the automatic certificate application and update function is disabled.

    • Configure manual local certificate application.

      1. Run quit

        Return to the system view.

      2. Run pki enroll-certificate realm realm-name [ password password ]

        Manual certificate application is configured.

        If the password command is configured, the password parameter does not need to be specified. If both the password command and password parameter are configured, the password parameter setting takes effect.

Applying for the Local Certificate in Offline Mode

Context

If the CA server does not support SCEP, configure the device to apply for the local certificate in offline mode. Users generate a certificate request file on the device and then send the file to the CA in an outbound way (web, disk, or email) to apply for the local certificate. After applying for the certificate, users still need to download the certificate from the server where the certificate is stored and save it to the device storage.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  3. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  4. Run rsa local-key-pair key-name

    The RSA key pair used in offline mode certificate application is configured.

    By default, the RSA key pair used in offline mode certificate application is not configured.

  5. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    Other algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  6. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  7. Run quit

    Return to the system view.

  8. Run pki file-format { der | pem }

    The file format in which the device stores the certificate and certificate request is configured.

    By default, the device stores the certificate and certificate request into a PEM file.

  9. Run pki enroll-certificate realm realm-name pkcs10 [ filename filename ] [ password password ]

    The device is configured to save certificate application information into a file in PKCS#10 format.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  10. Enable the device to send the CA the certificate request file in an outbound way (web, disk, or email) to apply for the local certificate.
Verifying the Local Certificate Application and Update Configuration

Prerequisites

The local certificate application and update configuration has been completed.

Procedure

  • Run the display pki realm [ realm-name ] command to check PKI realm information.
  • Run the display pki credential-storage-path command to check the default path where a PKI certificate is stored.
  • Run the display pki certificate enroll-status [ realm realm-name ] command to check the certificate enrollment status.
  • Run the display pki cert-req filename file-name command to check the certificate request file.
  • Run the display pki certificate { ca | local } realm realm-name command to check the loaded CA certificate and local certificate.

(Optional) Downloading a Local Certificate

Prerequisites

The device has applied for the local certificate in offline mode, and the local certificate has been enrolled on the CA successfully.

Context

If the device applies for the local certificate through SCEP, it automatically downloads the local certificate. The local certificate needs to be downloaded only when the local certificate is applied for in offline mode.

The device often obtains the local certificate using the following methods depending on the service types provided by the CA server:
  • Download the local certificate from the web server to the device storage through HTTP.

  • Obtain the local certificate in an outbound way (web, disk, or email) and then upload it to the device storage.

Procedure

  • Download the local certificate through HTTP.
    1. Run system-view

      The system view is displayed.

    2. Run pki http [ esc ] url-address save-name

      The device is configured to download the local certificate through HTTP.

      url-address must include a complete certificate file name and file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  • Download the local certificate in an outbound way (web, disk, or email).

    After you obtain the local certificate in an outbound way (web, disk, or email), manually upload it to the device storage. You can also download the local certificate through the administrator's PC and then upload it to the device storage through FTP or SFTP, or web system.

Verifying the Configuration
  • Run the display pki credential-storage-path command to check the default path where a PKI certificate is stored.

  • Run the dir (user view) command to check the local certificate file in a storage device.

(Optional) Installing the Local Certificate

Prerequisites

The local certificate has been downloaded, and the certificate file has been stored to the device storage.

NOTE:

To prevent a failure to install the local certificate, ensure that the certificate file size does not exceed 1 MB.

You need to manually install the local certificate when the local certificate is applied offline or the CMPv2 method is configured. When the SCEP method is configured, the device automatically downloads the local certificate.

Context

The downloaded local certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate local realm realm-name { der | pkcs12 | pem } [ filename filename ] [ no-check-validate ] [ no-check-hash-alg ] or pki import-certificate local realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

    The local certificate is imported into the device memory.

    A key pair file may be included in the certificate file, or exist independently of the certificate file. The import methods are different.

    • A certificate file contains a key pair file.

      Run the pki import rsa-key-pair command to import the certificate and key pair files simultaneously.

      NOTE:

      If a certificate file contains a key pair file, the pki import-certificate command imports only the certificate file, but not the key pair file. To import the key pair file, run the pki import rsa-key-pair command after the pki import-certificate command.

    • The key pair file is independent of the certificate file.

      1. Import the certificate file.

        Run the pki import-certificate command.

      2. Import the key pair file.

        Run the pki import rsa-key-pair command.

    NOTE:

    If you do not know the format of the certificate you want to import, configure each format in turn and check whether the certificate is successfully imported. If the certificate format is not specified, the system automatically detects the certificate format and imports it.

  3. (Optional) Run pki set-certificate expire-prewarning day

    The expiry prewarning time of the local certificate in the device memory is configured.

    The default expiry prewarning time of the local certificate in the device memory is 7 days.

Follow-up Procedure
  • To copy the local certificate to another device, run the pki export-certificate local realm realm-name { pem | pkcs12 } [ filename filename[ password password ] ] or pki export-certificate local realm realm-name der [ filename filename ] command. Subsequently, the local certificate is exported into the device storage. Subsequently, the local certificate can be obtained through FTP or SFTP.

  • To copy a default built-in local certificate to another device, run the pki export-certificate default local filename filename command. Subsequently, the default built-in local certificate is exported into the device storage. Subsequently, the local certificate can be obtained through FTP or SFTP.

Verifying the Configuration

Run the display pki certificate local realm realm-name command to check the loaded local certificate.

Verifying the CA and Local Certificates

Prerequisites

The task of (Optional) Installing the Local Certificate is complete.

Configuration Procedure

Perform the following operations in sequence:

Configuring Local Certificate Check
Context

The PKI entity periodically validates the peer certificate, for example, whether the peer certificate expires and whether it is added to CRL. There are three ways to check certificate status: CRL, OCSP, and None.

  • CRL

    If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find out the CRL from the specified location and download the CRL.

    If the CDP URL is configured for a PKI entity, the PKI entity obtains the CRL from the specified URL. If the CA server cannot function as a CDP, the PKI entity uses SCEP to download the CRL.

    When the PKI entity authenticates the local certificate, the PKI entity searches for the certificate in the CRL stored in local memory. If the certificate is included in the CRL, it indicates that the certificate has been revoked. If no CRL is available in local memory, the CRL needs to be downloaded and installed.

  • OCSP

    When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

    OCSP does not require the PKI entity frequently download CRL. When a PKI entity accesses an OCSP server, the entity requests the certificate status. The OCSP server replies with a valid, expired, or unknown state.

    • Valid indicates that the certificate has not been revoked.

    • Expired indicates that the certificate has been revoked.

    • Unknown indicates that the OCSP server does not know the certificate status.

  • None

    If no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the local certificate status, this mode can be used. In this mode, the PKI entity does not check certificate revocation.

Procedure
  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

  3. Run certificate-check { { crl | ocsp } * [ none ] | none }

    The method to check whether certificate revocation is configured in the PKI realm.

    By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

    If multiple certificate status check methods are configured, these methods are used in the configuration sequence. The later method is used only when the previous method is unavailable because, for example, the server cannot be connected. If None is configured, a certificate is considered valid when all the previous methods are unavailable. For example, after the certificate-check crl ocsp none command is executed, the PKI entity uses CRL to check certificate status first. If the CRL method is unavailable, the PKI entity uses OCSP. If neither CRL nor OCSP is available, the certificate is considered valid.

  4. Select a method to check peer certificate status according to the service types provided by the CA:

Automatic CRL Update
  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki realm realm-name

    The view of an existing PKI realm is displayed.

  4. Run crl auto-update enable

    Automatic CRL update is enabled.

    By default, automatic CRL update is enabled.

  5. Run crl update-period interval

    The interval for automatic CRL update is set.

    By default, the automatic CRL update interval is 8 hours.

  6. Select an automatic CRL update method according to the service types provided by the CA.

    • SCEP

      1. Run crl scep

        The CRL is automatically updated using SCEP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured

        By default, no CDP URL is configured.

    • HTTP

      1. Run crl http

        The CRL is automatically updated using HTTP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr or cdp-url from-ca

        The CDP URL is configured or the device is configured to obtain CDP URL from the CA certificate.

        By default, no CDP URL is configured.

  7. Run crl cache

    The PKI realm is allowed to use the CRL in cache.

    By default, the PKI realm is allowed to use cached CRLs.

  8. (Optional) Update the CRL immediately.

    1. Run quit

      Return to the system view.

    2. Run pki get-crl realm realm-name

      The CRL is immediately updated.

      After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.

Manual CRL Update
  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki http [ esc ] url-address save-name

    The CRL using HTTP is downloaded.

    The value of url-address must contain the certificate file name plus the file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  4. Run pki import-crl realm realm-name filename file-name

    The CRL is imported to the memory.

OCSP
  1. (Optional) Run source interface interface-type interface-number

    The source interface used in TCP connection setup is specified.

    By default, the source interface used in TCP connection setup is the egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  2. Run ocsp url [ esc ] url-address or ocsp-url from-ca

    The OCSP server's URL is configured or the device is configured to obtain OCSP server's URL from the CA certificate's AIA option.

    By default, an OCSP server does not have a URL address.

  3. (Optional) Run ocsp nonce enable

    The nonce extension is added to the OCSP requests sent by the PKI entity.

    By default, the OCSP requests sent by the PKI entity contain the nonce extension.

    The nonce extension improves security and reliability for communication between the PKI entity and OCSP server. The content of a nonce extension is randomly generated by the system. The response packets sent by the OCSP server may contain or not contain the nonce extension. If the response packets contain a nonce extension, it must be the same as that configured for OCSP requests.

  4. (Optional) Run ocsp signature enable

    Signature for OCSP requests is enabled.

    By default, signature for OCSP requests is disabled.

    This command is required when the OCSP server requests signature for OCSP requests.

  5. Run quit

    Return to the system view.

  6. Run pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ] or pki import-certificate ocsp realm realm-name pkcs12 filename filename password password

    The OCSP server certificate is imported to memory.

  7. Run pki ocsp response cache enable

    The OCSP response cache function is enabled.

    By default, the OCSP response cache function is disabled.

    After this command is executed, the PKI entity searches the cache first in checking the certificate status using OCSP. If the cache searching fails, the PKI entity sends a request to the OCSP server. In addition, the PKI entity caches valid OCSP responses for next search.

    An OCSP response has a validity period. After the OCSP response cache function is enabled, the PKI entity updates cached OCSP responses every one minute and deletes the expired responses.

  8. (Optional) Run pki ocsp response cache number number

    The maximum number of OCSP responses in the cache is set.

    By default, a PKI entity can cache 2 OCSP responses.

  9. (Optional) Run pki ocsp response cache refresh interval interval

    The interval at which the PKI entity updates the OCSP response cache is set.

    By default, the PKI entity updates the OCSP response cache every five minutes.

Follow-up Procedure
  • If you want to copy an OCSP server certificate from the local device to another device, run the pki export-certificate ocsp realm realm-name { der | pem | pkcs12 } [ filename filename ] command to export the certificate file to the local device memory first, and then transfer the certificate file to another device using a file transferring protocol.

  • To delete an expired or unused OCSP server certificate from memory, run the pki delete-certificate ocsp realm realm-name command.

  • To delete an expired or unused CRL from memory, run the pki delete-crl realm realm-name command.

Checking the CA and Local Certificates

Context

Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. The key to authenticate a certificate is to check the signature of CA and check whether the certificate is expired or revoked.

In certificate authentication, the local device must obtain the peer certificate and the following information: CA certificate, CRL, local certificate and its private key, and certificate authentication information.

The local device authenticates a local certificate as follows:

  1. Uses the public key of the CA certificate to authenticate its signature.

    To authenticate a certificate, a PKI entity must obtain the public key of the CA that issued the certificate from the CA's certificate, so that the PKI entity can check the signature of the CA on the certificate. An upper-level CA authenticates the certificates of lower-level CAs. The authentication is performed along the certificate chain, and terminated at the trustpoint (the root CA holding a self-signed certificate or a subordinate CA trusted by the PKI entity).

    PKI entities sharing the same root or subordinate CA and having CA certificates can authenticate certificates of each other (peer certificates). Authentication of a peer certificate chain ends at the first trusted certificate or CA.

    In a word, certificate chain authentication starts at an entities certificate and ends at a trustpoint.

  2. Checks whether the certificate has expired.

  3. Checks whether the certificate has been revoked in CRL or None mode.

To check validity of the CA and local certificates of the local device, perform the following steps.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki validate-certificate { ca | local } realm realm-name

    The validity of CA or local certificate is checked.

    The pki validate-certificate ca command allows you to verify only the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate certificates.

Verifying the CA and Local Certificate Configuration

Prerequisites

Configuring the validity check for the CA and local certificates has been completed.

Procedure

  • Run the display pki realm [ realm-name ] command to check the PKI realm configuration.
  • Run the display pki crl { realm realm-name | filename filename } command to check the CRL in the device.
  • Run the display pki certificate ocsp realm realm-name command to check the OCSP server certificate loaded to the device.
  • Run the display pki ocsp cache statistics command to check the OCSP response cache information.
  • Run the display pki ocsp server down-information command to check the OCSP server Down records.

Deleting the Local Certificate

Context

When a local certificate expires or you want to request a new certificate, delete the existing local certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki delete-certificate local realm realm-name

    The local certificate is deleted from the memory.

Configuring the Extended Functions

Configuring Certificate Obtaining

Context

When the SCEP method is used, the PKI entity queries and obtains issued certificates on the CA server and stores the CA certificates to the local storage.

After obtaining a CA certificate, the device automatically imports the certificate to the device memory.

The purposes of obtaining a certificate are as follows:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki get-certificate { ca | local } realm realm-name

    The certificate is saved to the storage.

    If the same certificate exists on the device, delete the existing one; otherwise, the certificate cannot be obtained.

Configuring a Self-Signed Certificate or Local Certificate

Context

If a device fails to request a local certificate from the CA, it can generate a self-signed certificate or local certificate. The generated certificate is saved in storage as a file and issued to a PKI entity. You can export the certificate and transfer it to another device.

  • A self-signed certificate is issued by a device to itself. Therefore, the issuer and subject of a self-signed certificate are identical.
  • A local certificate is issued by a device to itself according to the certificate issued by the CA. Therefore, the issuer of a local certificate is the CA.
NOTE:

A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki create-certificate [ self-signed ] filename file-name

    A self-signed certificate or local certificate is created.

    During the configuration, you will be prompted to enter the certificate information, such as PKI entity attributes, the certificate file name, the certificate validity period, and length of the RSA key pair.

    Specify the self-signed parameter to create a self-signed certificate. If this parameter is not specified, a local certificate is created.

    The file format of the created self-signed certificate or local certificate is PEM.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 114487

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next