No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI Configuration Commands

PKI Configuration Commands

Command Support

Only S5720EI, S5720HI, S6720EI, and S6720S-EI support PKI.

auto-enroll

Function

The auto-enroll command enables automatic certificate enrollment and update.

The undo auto-enroll command disables automatic certificate enrollment and update.

By default, the automatic certificate enrollment and update are disabled.

Format

auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]

undo auto-enroll [ updated-effective ]

Parameters

Parameter

Description

Value

percent

Specifies the percentage of the certificate's validity period after which a new certificate is requested automatically.

The value is an integer that ranges from 10 to 100.

The default value is 100. When the old certificate expires, the system requests a new certificate.

regenerate

Indicates the RSA key pair will be generated during certificate updates.

-
key-bit Specifies the number of bits in the RSA key pair generated during certificate updates.

The value is an integer that ranges from 2048 to 4096. The default value is 2048.

updated-effective Indicates that the certificate takes effect immediately after being updated. By default, an updated certificate takes effect only after the old one expires. -

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Automatic certificate enrollment: When the certificates are unavailable, will expire, or have expired, an entity automatically requests a new certificate or renews the certificate using the Simple Certification Enrollment Protocol (SCEP).

By default, the automatic certificate enrollment and update function is disabled. When a certificate has expired, you must request a certificate for an entity manually. You can still request a certificate for an entity manually when the automatic certificate enrollment and update function is enabled.

Precautions
  • If you do not specify regenerate, the system uses the original RSA key pairs during automatic updates.
  • If you specify regenerate, the system generates new RSA key pairs during certificate updates for certificate requests and overwrites the original certificates and RSA key pairs with the new ones.

Example

# Enable automatic certificate enrollment and update for the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] auto-enroll 50 regenerate

ca id

Function

The ca id command specifies a certificate authority (CA) trusted by a PKI realm.

The undo ca id command deletes the CA trusted by a PKI realm.

By default, no trusted CA is configured in a PKI realm.

Format

ca id ca-name

undo ca id

Parameters

Parameter

Description

Value

ca-name

Specifies the name of a CA trusted by a PKI realm.

The value is a string of 1 to 64 case-insensitive characters.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

After the ca id command is executed to specify the CA trusted by the device, the CA then requests, obtains, revokes, or queries the device's certificate.

Example

# Specify the CA root_ca trusted by the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] ca id root_ca

cdp-url

Function

The cdp-url command configures the CRL distribution point (CDP) URL.

The undo cdp-url command deletes the configured CDP URL.

By default, no CDP URL is configured.

Format

cdp-url [ esc ] url-addr

cdp-url from-ca

undo cdp-url

Parameters

Parameter Description Value
esc Indicates that the URL address is in ASCII mode. -
url-addr Specifies the CDP URL.

The value is a string starting with http:// and consisting of 1 to 128 case-sensitive characters without spaces.

from-ca Specifies that the CDP URL address is obtained from the CA certificate. -

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a PKI entity needs to use HTTP to update CRL, it must set up a connection with the HTTP server based on CDP URL, and obtain the CRL from the HTTP server. By default, a PKI entity locates and downloads CRL based on the method (HTTP) in the CDP information of the local certificate. If you do not want to download CRL based on the CDP URL in the local certificate, run this command to configure the PKI entity to obtain CDP URL from the CA certificate or manually configure the CDP URL.

When CRL is automatically updated by SCEP, you can also manually configure a CDP URL address.

Configuration Impact

Manually configuring a CDP URL address overwrites the CDP carried in the certificate. If the certificate does not contain CDP information and no CDP URL address is manually configured, the device requests the CRL from the CA server using SCEP.

Keyword esc only supports the URLs that include the question mark (?) in the ASCII code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII code for the question mark (?). For example, if a user wants to enter http://abc.com?page1, the URL is http://abc.com\x3fpage1. If a user wants to enter http://www.abc.com?page1\x3f that includes both a question mark (?) and \x3f, the URL is http://www.abc.com\x3fpage1\\x3f.

Example

# Set the CDP URL to http://10.1.1.1/certenroll/ca_root.crl.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep 
[HUAWEI-pki-realm-d1] cdp-url http://10.1.1.1/certenroll/ca_root.crl

# Set the CDP URL to http://www.abc.com/certenroll/ca_root.crl.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep
[HUAWEI-pki-realm-d1] cdp-url http://www.abc.com/certenroll/ca_root.crl

certificate-check

Function

The certificate-check command sets the method of checking whether a certificate in the PKI realm is revoked.

The undo certificate-check command cancels the method of checking whether a certificate in the PKI realm is revoked.

By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

Format

certificate-check { { crl | ocsp } * [ none ] | none }

undo certificate-check

NOTE:

Only devices in cloud management mode support the ocsp parameter.

Parameters

Parameter Description Value
crl

Sets the check method to Certificate Revocation List (CRL).

-
ocsp

Sets the check method to Online Certificate Status Protocol (OCSP).

-
none

Indicates that the system does not check whether a certificate is revoked.

-

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

After this command is executed, the PKI entity validates the peer certificate, for example, whether the peer certificate has expired and whether it is added to CRL.

The system supports the following methods to check whether a certificate in the PKI realm is revoked:

  • CRL

    • If the CA server can function as a CDP, the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find the CRL from the specified location and download the CRL. If the CDP URL is configured in the PKI realm, the PKI entity obtains the CRL from the specified URL.

    • If the CA does not support CDPs and no CDP URL is configured on the PKI entity, the PKI entity uses the SCEP protocol to obtain the CRL.
  • OCSP

    The PKI entity can use OCSP to check certificate status online, and you do not need to frequently download CRLs.

    When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

  • None

    This mode is used when no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the peer certificate status. In this mode, the PKI entity does not check whether a certificate has been revoked.

Select the following configurations:

  • If the certificate-check crl command is configured for a certificate, the CRL mode is used.
  • If the certificate-check ocsp command is configured for a certificate, the OCSP mode is used.
  • If the certificate-check crl none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check ocsp none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check crl ocsp command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
  • If the certificate-check ocsp crl command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as invalid.
  • If the certificate-check crl ocsp none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check ocsp crl none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check none command is configured for a certificate, the certificate is regarded as valid.

Precautions

After the certificate-check crl command is configured, if the device does not have the CRL file, the device fails the certificate verification, and the certificate becomes invalid.

Example

# Set the certificate check method to crl none in PKI realm test. If the CRL mode is unavailable, the certificate is regarded as valid.

<HUAWEI> system-view
[HUAWEI] pki realm test 
[HUAWEI-pki-realm-test] certificate-check crl none

common-name

Function

The common-name command configures a common name for an entity.

The undo common-name command cancels the configuration.

By default, a PKI entity does not have a common name.

Format

common-name common-name

undo common-name

Parameters

Parameter Description Value
common-name Specifies the common name of an entity. The value is a string of 1 to 64 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), commas (,), minus signs (-), periods (.), slashes (/), colons (:), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

After a PKI entity is created, a common name must be configured to uniquely identify the PKI entity.

After the common name is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this name. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the common name of the PKI entity.

Example

# Set the common name to test for an entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] common-name test
Related Topics

country (PKI entity view)

Function

The country command configures a country code for an entity.

The undo country command deletes the country code of a PKI entity.

By default, no country code is configured for a PKI entity.

Format

country country-code

undo country

Parameters

Parameter Description Value
country-code Specifies the country code of a PKI entity. A country code must be two-character long. If the entered country code contains lower case letters, the system automatically changes the lower case letters into upper case letters when you create a certificate request file.

You can query country codes in ISO3166. For example, CN is the legitimate country code of China, and US is the legitimate country code of the USA.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure the country code for the PKI entity, which is used as an alias of the entity.

After the country code is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this country code. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the country code of the PKI entity.

Example

# Configure the country code to CN for a PKI entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] country CN
Related Topics

crl auto-update enable

Function

The crl auto-update enable command enables the automatic CRL update function.

The undo crl auto-update enable command disables the automatic CRL update function.

By default, automatic CRL update is enabled.

Format

crl auto-update enable

undo crl auto-update enable

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

To configure the automatic CRL update function, enable the function first.

Example

# Enable the automatic certificate update function.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl auto-update enable

crl cache

Function

The crl cache command configures the device to use the cached CRL.

The undo crl cache command configures the device to retrieve the latest CRL each time.

By default, the PKI realm is allowed to use cached CRLs.

Format

crl cache

undo crl cache

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

The system overwrites the CRL in memory with the cached URL for certificate verification. If the PKI realm is not allowed to use cached CRL, the system must download the latest CRL every time to overwrite the CRL in memory.

Example

# Allow the device to use the cached CRL in the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] crl cache

crl http

Function

The crl http command enables automatic CRL update using HTTP.

By default, the CRL is updated automatically using HTTP.

Format

crl http

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

This command is required when CRL is updated using HTTP, and ensure that there is sufficient space in the device storage for the CRL file.

Example

# Configure the automatic CRL update using HTTP.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl http

crl scep

Function

The crl scep command configures a device to use SCEP to automatically update a CRL.

By default, a device uses HTTP to automatically update a CRL.

Format

crl scep

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

This command is required when CRL is updated using SCEP, and ensure that there is sufficient space in the device storage for the CRL file.

Example

# Use SCEP to automatically update a CRL.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl scep

crl update-period

Function

The crl update-period command sets the interval for automatic CRL update.

The undo crl update-period command restores the default interval for automatic CRL update.

By default, the automatic CRL update interval is 8 hours.

Format

crl update-period interval

undo crl update-period

Parameters

Parameter Description Value
interval Specifies the interval at which a CRL is automatically updated. The value is an integer that ranges from 1 to 720, in hours.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

The CRL update interval is the interval at which a PKI entity using a certificate downloads a CRL from the CRL storage server. The CA/RA does not issue the CRL to an entity. Instead, the entity initiates CRL query to obtain a CRL.

Example

# Set the interval at which a CRL is automatically updated to 21 hours.

<HUAWEI> system-view
[HUAWEI] pki realm d1
[HUAWEI-pki-realm-d1] crl update-period 21

display pki ca-capability

Function

The display pki ca-capability displays the CA capabilities of a PKI realm.

Format

display pki ca-capability realm realm-name

Parameters

Parameter

Description

Value

realm realm-name

Indicates the name of a PKI realm.

The PKI realm name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

The display pki ca-capability command displays the CA capabilities of a PKI realm.

Example

# Display the CA capabilities of the PKI realm asdf.

<HUAWEI> display pki ca-capability realm asdf
 PKI CA Capabilities :
  GetNextCACert      :  ---- 
  POSTPKIOperation   :  ---- 
  Renewal            :  ----
  SHA-512            :  ----
  SHA-256            :  ----
  SHA-1              :  ----
  DES3               :  ---- 
Table 14-79  Description of the display pki ca-capability command output

Item

Description

PKI CA Capabilities

PKI CA capabilities.

GetNextCACert

Get next CA certificate.

POSTPKIOperation

Post PKI operation messages.

Renewal

Certificate renewal.

SHA-512

SHA-512 algorithm.

SHA-256

SHA-256 algorithm.

SHA-1 SHA-1 algorithm.
DES3 DES3 algorithm.

display pki cert-req

Function

The display pki cert-req command displays the content of a certificate request file.

Format

display pki cert-req filename file-name

Parameters

Parameter Description Value
filename file-name Specifies the name of a certificate request file. The certificate request file name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays content of a certificate request file, including the subject, public key algorithm, key modulus, attributes, and signature algorithm.

Example

# Display the content of a certificate request file named test.req.

<HUAWEI> display pki cert-req filename test.req
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=Jiangsu, L=Beijing, O=org1, OU=Group1,Sale, CN=huawei
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:01:cf:95:bb:fb:35:f0:3e:cd:1d:10:9e:11:
                    08:2e:77:48:ba:1b:e6:00:1b:43:30:56:f9:9a:6b:
                    ed:8b:fe:3e:03:57:38:02:48:88:e3:9b:39:d0:1c:
                    2b:8f:6a:9b:91:17:9b:ce:cb:fc:87:40:78:39:08:
                    1c:53:c3:71:cc:db:64:6f:ec:5a:cd:33:a5:68:5e:
                    e6:52:61:ad:a1:58:55:f0:a0:0f:db:ab:05:eb:a4:
                    fe:e1:68:61:8c:af:2c:3a:34:95:d2:41:ee:09:e7:
                    b0:fc:59:d9:f4:12:00:de:ab:14:b6:a3:fe:29:75:
                    f7:dd:7b:aa:03:81:fc:ae:41:8c:e4:ad:e3:d9:65:
                    d4:be:a0:c1:e0:43:8a:91:ad:20:7b:6f:12:25:6e:
                    0d:67:7d:4c:fe:8d:1b:6d:f3:96:07:31:ed:73:d3:
                    71:6b:51:18:64:bd:41:d6:18:2d:2d:86:b7:fa:26:
                    eb:cc:cb:a3:0f:0b:61:22:fd:dd:5f:b4:4d:9b:7d:
                    bc:fa:af:e6:95:d7:27:f1:60:31:56:83:58:2c:40:
                    1a:5e:6a:94:63:aa:70:2f:9b:00:e0:a3:9e:fb:73:
                    62:5e:1c:3c:5f:48:42:7c:26:8f:5f:cf:39:b9:5d:
                    25:90:8e:6c:e0:04:ec:e2:1b:1f:a8:0d:d2:ef:20:
                    41:79
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :******
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.1.1.1, DNS:example.com, email:test@example.com
    Signature Algorithm: sha256WithRSAEncryption
         71:e7:c0:5f:36:c9:16:eb:fc:0c:8e:d1:4f:3d:ee:25:6b:47:
         65:86:4b:89:ec:22:01:42:a5:0e:5c:aa:01:0a:57:a9:25:ba:
         1b:59:6d:77:5f:74:80:3b:af:f9:37:75:97:9a:ca:80:73:8b:
         36:14:2c:4b:9a:2f:53:5c:5b:4a:93:31:88:94:0f:4d:58:84:
         36:41:e8:a8:6c:cd:f0:bb:9f:51:50:b2:a4:40:f4:ec:37:c5:
         42:08:69:b5:c5:fd:af:3d:8a:aa:47:53:d3:ce:bc:76:ec:47:
         ca:36:90:0b:49:2b:2f:04:c4:1f:f1:12:b6:99:d0:f8:33:d8:
         08:d0:32:ac:ee:34:0f:07:ef:72:9f:6b:71:80:3e:8d:37:cc:
         ca:b5:c1:56:3d:65:c7:e6:99:1b:2b:53:01:69:f5:8a:18:05:
         d1:b1:48:3e:50:e0:4c:7f:db:dc:b7:cd:a2:37:f9:96:cd:0d:
         ee:61:c2:80:61:6b:99:c0:76:0d:ab:2c:46:ce:b7:aa:6a:12:
         72:b7:6f:64:cc:78:b7:16:bd:c5:32:45:79:42:cf:4c:28:91:
         ce:cd:7d:da:eb:2b:3a:cf:90:1f:61:5e:02:25:fe:3c:82:66:
         d4:e8:c7:f8:5e:84:2c:f6:b2:f0:ba:ee:7a:c1:9b:d4:68:02:
         a4:e3:27:89
Table 14-80  Description of the display pki cert-req command output

Item

Description

Certificate Request Information about a certificate request file.
Data Data of a certificate request file.
Version Version of a certificate request file.
Subject

Subject of a certificate request file. The subject includes the following attributes:

  • C: country code of a PKI entity. It is configured using the country (PKI entity view) command.

  • ST: name of the state or province to which a PKI entity belongs. It is configured using the state (PKI entity view) command.

  • L: geographic area where a PKI entity is located. It is configured using the locality command.

  • O: organization to which a PKI entity belongs. It is configured using the organization command.

  • OU: department to which a PKI entity belongs. It is configured using the organization-unit command.

  • CN: common name of a PKI entity. It is configured using the common-name command.

Subject Public Key Info Information about the subject public key of a certificate request file.
Public Key Algorithm Public key algorithm.
Public-Key RSA public key. It is configured using the rsa local-key-pair command.
Modulus Key modulus.
Exponent Key exponent.
Attributes Attributes of a certificate request file.
challengePassword The challenge password used in certificate application. It is configured using the pki enroll-certificate command.
Requested Extensions

Certificate request extension.

X509v3 Subject Alternative Name

Alternative name of the X.509v3 subject.

IP Address

IP address of a PKI entity. It is configured using the ip-address command.

DNS

DNS name of a PKI entity. It is configured using the fqdn command.

email

Email address of a PKI entity. It is configured using the email command.

Signature Algorithm Signature algorithm. It is configured using the enrollment-request signature message-digest-method command.

display pki certificate

Function

The display pki certificate command displays the content about the CA or local certificate loaded to the device and OCSP server certificate.

Format

display pki certificate { ca | local | ocsp } realm realm-name

display pki certificate filename file-name

NOTE:

Only devices in cloud management mode support the ocsp parameter.

Parameters

Parameter Description Value
ca Displays content about the CA certificate. -
local Displays content about the local certificate. -
ocsp Displays content about the Online Certificate Status Protocol (OCSP) server's certificate. -
realm realm-name Specifies the PKI realm name of a certificate to be checked. The PKI realm name must already exist.
filename file-name Specifies the name of a certificate file. The value must be an existing certificate file name.

Views

All views

Default Level

The default level of the display pki certificate filename file-name command is 3: Management level, and the default level of other display pki certificate commands is 2: Configuration level.

Usage Guidelines

This command shows information about the CA certificate, local certificate, and OCSP server's certificate, including signature algorithm, issuer, validity period, subject, and subject public key.

Example

# Display information about the CA certificate.

<HUAWEI> display pki certificate ca realm abc
 The x509 object type is certificate:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:f0:1a:f3:67:21:44:9a:4a:eb:ec:63:75:5d:d7:5f
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ca_root
        Validity
            Not Before: Jun  4 14:58:17 2015 GMT
            Not After : Jun  4 15:07:10 2020 GMT
        Subject: CN=ca_root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d9:5f:2a:93:cb:66:18:59:8c:26:80:db:cd:73:
                    d5:68:92:1b:04:9d:cf:33:a2:73:64:3e:5f:fe:1a:
                    53:78:0e:3d:e1:99:14:aa:86:9b:c3:b8:33:ab:bb:
                    76:e9:82:f6:8f:05:cf:f6:83:8e:76:ca:ff:7d:f1:
                    bc:22:74:5e:8f:4c:22:05:78:d5:d6:48:8d:82:a7:
                    5d:e1:4c:a4:a9:98:ec:26:a1:21:07:42:e4:32:43:
                    ff:b6:a4:bd:5e:4d:df:8d:02:49:5d:aa:cc:62:6c:
                    34:ab:14:b0:f1:58:4a:40:20:ce:be:a5:7b:77:ce:
                    a4:1d:52:14:11:fe:2a:d0:ac:ac:16:95:78:34:34:
                    21:36:f2:c7:66:2a:14:31:28:dc:7f:7e:10:12:e5:
                    6b:29:9a:e8:fb:73:b1:62:aa:7e:bd:05:e5:c6:78:
                    6d:3c:08:4c:9c:3f:3b:e0:e9:f2:fd:cb:9a:d1:b7:
                    de:1e:84:f4:4a:7d:e2:ac:08:15:09:cb:ee:82:4b:
                    6b:bd:c6:68:da:7e:c8:29:78:13:26:e0:3c:6c:72:
                    39:c5:f8:ad:99:e4:c3:dd:16:b5:2d:7f:17:e4:fd:
                    e4:51:7a:e6:86:f0:e7:82:2f:55:d1:6f:08:cb:de:
                    84:da:ce:ef:b3:b1:d6:b3:c0:56:50:d5:76:4d:c7:
                    fb:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...C.A
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C5
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://vasp-e6000-127.china.huawei.com/CertEnroll/ca_root.
crl
                  URI:file://\\vasp-e6000-127.china.huawei.com\CertEnroll\ca_roo
t.crl

            1.3.6.1.4.1.311.21.1:
                ...
    Signature Algorithm: sha1WithRSAEncryption
         52:21:46:b8:67:c8:c3:4a:e7:f8:cd:e1:02:d4:24:a7:ce:50:
         be:33:af:8a:49:47:67:43:f9:7f:79:88:9c:99:f5:87:c9:ff:
         08:0f:f3:3b:de:f9:19:48:e5:43:0e:73:c7:0f:ef:96:ef:5a:
         5f:44:76:02:43:83:95:c4:4e:06:5e:11:27:69:65:97:90:4f:
         04:4a:1e:12:37:30:95:24:75:c6:a4:73:ee:9d:c2:de:ea:e9:
         05:c0:a4:fb:39:ec:5c:13:29:69:78:33:ed:d0:18:37:6e:99:
         bc:45:0e:a3:95:e9:2c:d8:50:fd:ca:c2:b3:5a:d8:45:82:6e:
         ec:cc:12:a2:35:f2:43:a5:ca:48:61:93:b9:6e:fe:7c:ac:41:
         bf:88:70:57:fc:bb:66:29:ae:73:9c:95:b9:bb:1d:16:f7:b4:
         6a:da:03:df:56:cf:c7:c7:8c:a9:19:23:61:5b:66:22:6f:7e:
         1d:26:92:69:53:c8:c6:0e:b3:00:ff:54:77:5e:8a:b5:07:54:
         fd:18:39:0a:03:ac:1d:9f:1f:a1:eb:b9:f8:0d:21:25:36:d5:
         06:de:33:fa:7b:c8:e9:60:f3:76:83:bf:63:c6:dc:c1:2c:e4:
         58:b9:cb:48:15:d2:a8:fa:42:72:15:43:ef:55:63:39:58:77:
         e8:ae:0f:34

Pki realm name: abc
Certificate file name: abc_ca.cer
Certificate peer name: -
Table 14-81  Description of the display pki certificate command output

Item

Description

The x509 object type is certificate.

x509 object type is certificate.

Certificate Information about a certificate.
Data Data of a certificate.
Version Version of a certificate.
Serial Number Serial number of a certificate.
Signature Algorithm Signature algorithm of a certificate.
Issuer Issuer of a certificate.
Validity Validity period of a certificate.
Subject Subject of a certificate. The subject includes the following attributes:
  • C: country code of a PKI entity.

  • ST: name of the state or province to which a PKI entity belongs.

  • L: geographic area where a PKI entity is located.

  • O: organization to which a PKI entity belongs.

  • OU: department to which a PKI entity belongs.

  • CN: common name of a PKI entity.

Subject Public Key Info Information about the public key of a certificate.
Public Key Algorithm Public key algorithm.
Public-Key Public key.
Modulus Key modulus.
Exponent Key exponent.
X509v3 extensions X.509v3 certificate extensions.
X509v3 Key Usage X509v3 key usage.
X509v3 Basic Constraints Basic constraints.
CA Whether the CA can be trusted.
X509v3 Subject Key Identifier Identifier of a subject key.
X509v3 CRL Distribution Points CRL distribution points.
Full Name Full name of CDP.
Pki realm name PKI realm name.
Certificate file name Certificate file name.
Certificate peer name Certificate peer name.

display pki certificate built-in-ca

Function

The display pki certificate built-in-ca command displays the content of the SSL decryption certificate uploaded on the device.

Format

display pki certificate built-in-ca

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

This command shows information about the SSL decryption certificate, including signature algorithm, issuer, validity period, subject, subject public key, PKI realm name, and certificate file name.

Example

# Display information about the built-in-ca certificate.

<HUAWEI> display pki certificate built-in-ca  
 The x509 object type is certificate:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:1c:74:f0:df:e0:2f:c6
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=Jiangsu, L=Beijing, O=org1, OU=Group1,Sale, CN=huawei
        Validity
            Not Before: Oct 23 23:44:55 2015 GMT
            Not After : Oct 13 23:44:55 2055 GMT
        Subject: C=CN, ST=Jiangsu, L=Beijing, O=org1, OU=Group1,Sale, CN=huawei
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b1:63:50:17:73:de:cc:9e:2b:41:fe:0e:58:28:
                    47:b7:ce:6b:77:5c:29:b1:3e:cf:d3:e0:53:63:1e:
                    21:cc:f6:11:34:7c:eb:8a:d7:08:b5:96:c4:0b:4a:
                    4d:33:6c:77:23:21:51:bb:10:d6:7d:d3:82:a0:6a:
                    f5:f6:8d:17:e0:f2:73:99:7b:c7:89:c8:fc:61:42:
                    0b:a5:d7:1a:11:47:ed:e1:5f:60:a6:c5:93:f0:07:
                    3f:73:fe:80:16:98:02:23:df:ab:04:85:13:25:32:
                    61:69:e8:f3:ab:a0:d8:e9:41:f8:c2:5f:14:9e:b7:
                    3b:49:1d:48:b4:b2:8d:bf:b9:00:ee:25:5d:7a:11:
                    a6:d3:23:61:99:ad:0f:54:be:00:a1:58:dd:d2:91:
                    ad:5c:6f:9d:d0:8c:e0:6f:a3:4e:df:ba:fd:b1:e3:
                    6f:1b:b3:1f:e6:42:91:1c:1a:4f:a3:a7:0e:3c:2c:
                    4c:f9:18:1f:9d:22:f8:09:da:ff:a7:7c:b8:77:20:
                    19:8a:90:d0:00:21:e4:1f:41:cc:f0:0c:ba:8f:23:
                    c3:9f:f9:ae:d8:49:95:be:75:49:7d:d7:d0:ce:3c:
                    28:27:e9:11:02:4d:c0:1a:d0:f7:38:7f:94:f8:9c:
                    9d:78:71:43:50:d3:05:01:07:18:f4:2f:c5:ec:96:
                    5d:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:10.1.1.1, DNS:example.com, email:test@example.com
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                3F:D2:BC:62:6B:F5:10:29:C4:59:9D:B9:71:A7:EB:B1:C4:16:91:9F
            Netscape Cert Type:
                SSL CA
            Netscape Comment:
                example comment extension
    Signature Algorithm: sha1WithRSAEncryption
         89:d5:47:31:23:c3:f9:df:fd:96:c5:38:fb:1e:b5:52:00:bd:
         21:fd:f0:18:af:8e:e8:01:b7:e6:b3:a1:0e:51:4b:61:4d:d5:
         52:1e:60:60:6a:67:9f:82:90:e3:1d:97:36:8f:c4:30:20:f4:
         14:58:4c:78:61:3c:4a:d4:0f:98:a9:05:e0:b5:cb:6a:78:eb:
         c6:40:9d:00:7b:31:8d:0e:21:72:db:31:34:83:5d:e5:42:98:
         85:09:6d:1e:c5:23:ce:e3:72:46:67:79:4b:1b:18:ba:cb:5e:
         ba:08:ee:0e:24:e5:58:07:0c:2e:b8:cf:e6:6b:09:67:76:80:
         e5:0e:66:a2:cb:3a:a1:bc:56:27:1c:1b:fd:5a:b5:ad:9f:a4:
         32:2b:32:3e:9a:9d:f5:04:ee:e5:e1:1c:76:8a:c2:45:f1:3e:
         8c:da:ab:f6:cf:82:d0:b3:4c:91:7a:c8:ad:b5:2c:28:54:e0:
         79:40:b6:b5:f1:6f:92:23:4d:94:8b:20:0d:92:86:43:98:17:
         d5:9b:b0:7f:99:f2:f1:df:0f:d3:f2:5c:9d:35:bc:64:25:13:
         39:62:ba:98:cb:cc:6a:08:fc:2c:86:2e:2e:91:80:8b:3e:27:
         14:f7:45:fe:9f:f8:1a:87:05:c9:21:c3:61:d1:69:82:e3:05:
         5c:44:c5:82

Pki realm name: -
Certificate file name: buzzcer
Certificate peer name: -
Table 14-82  Description of the display pki certificate built-in-ca command output

Item

Description

The x509 object type is certificate

x509 object type is certificate.

Certificate Information about a certificate.
Data Data of a certificate.
Version Version of a certificate.
Serial Number Serial number of a certificate.
Signature Algorithm Signature algorithm of a certificate.
Issuer Issuer of a certificate.
Validity Validity period of a certificate.
Subject

Certificate subject. The subject includes the following attributes:

  • C: country code of a PKI entity. It is configured using the country (PKI entity view) command.

  • ST: name of the state or province to which a PKI entity belongs. It is configured using the state (PKI entity view) command.

  • L: geographic area where a PKI entity is located. It is configured using the locality command.

  • O: organization to which a PKI entity belongs. It is configured using the organization command.

  • OU: department to which a PKI entity belongs. It is configured using the organization-unit command.

  • CN: common name of a PKI entity. It is configured using the ip-address command.

Subject Public Key Info Information about the public key of a certificate.
Public Key Algorithm

Public key algorithm. It is configured using the pki rsa local-key-pair create command.

Public-Key RSA public key.
Modulus Key modulus.
Exponent Key exponent.
X509v3 extensions X.509v3 certificate extensions.
X509v3 Subject Alternative Name

Alternative name of the X.509v3 subject.

IP Address

IP address of the PKI entity. It is configured using the ip-address command.

DNS

DNS name of a PKI entity. It is configured using the fqdn command.

email

Email address of a PKI entity. It is configured using the email command.

X509v3 Basic Constraints Basic constraints.
CA Whether the CA can be trust.
X509v3 Key Usage X.509v3 key use.
X509v3 Subject Key Identifier Identifier of a X.509v3 subject key.
Netscape Cert Type Netscape Certificate Type.
Netscape Comment Netscape Comment.
Signature Algorithm Signature algorithm.
Pki realm name

PKI realm name. It is configured using the pki realm (system view) command.

Certificate file name

Name of a certificate file. It is configured using the pki generate built-in-ca certificate command.

Certificate peer name

Name of a certificate peer. It is configured using the pki import-certificate peer command.

display pki certificate enroll-status

Function

The display pki certificate enroll-status command displays the certificate enrollment status.

Format

display pki certificate enroll-status [ realm realm-name ]

Parameters

Parameter Description Value
realm realm-name Specifies the PKI realm name of a certificate to be checked. The PKI realm name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki certificate enroll-status command displays the certificate enrollment status.

Example

# Display the certificate enrollment status.

<HUAWEI> display pki certificate enroll-status realm abc
 Certificate Request Transaction 1 
    Status: Pending
    Key Usage: ENC&SIG
    Entity name: test
    Remain polling count: 1
    Next polling after : 35 seconds
<HUAWEI> display pki certificate enroll-status realm abc
 info: No certificate request transaction in realm abc.
Table 14-83  Description of the display pki certificate enroll-status command output

Item

Description

Certificate Request Transaction

Certificate enrollment request process.

Status

Certificate enrollment status.

Pending: A certificate is being enrolled.

Key Usage

Functions of a certificate public key:
  • ENC: The public key is used for encryption.
  • SIG: The public key is used for signature.

Entity name

Entity name.

Remain polling count

Number of times a certificate enrollment request can be initiated again.

Next polling after

Next time a certificate enrollment request is initiated.

No certificate request transaction

There is no certificate enrollment request process.

display pki credential-storage-path

Function

The display pki credential-storage-path command displays the default path where a PKI certificate is stored.

By default, the certificate file is stored in flash:/.

Format

display pki credential-storage-path

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display pki credential-storage-path command displays the default path where a PKI certificate is stored.

Example

# Display the default path where a PKI certificate is stored.

<HUAWEI> display pki credential-storage-path
 The pki credential-storage-path is flash:/ .

display pki crl

Function

The display pki crl command displays the content of the CRL in the device.

Format

display pki crl { realm realm-name | filename filename }

Parameters

Parameter Description Value
realm realm-name Specifies the name of the PKI realm associated with the CRL. The PKI realm name must already exist.
filename filename Specifies the file name of the certificate to be imported. The certificate file name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

This command shows information about local CRL, including signature algorithm, issuer, update time, revoked certificate, CRL sequence number, and revocation time.

Example

# Display information about the CRL associated with the PKI realm abc.

<HUAWEI> display pki crl realm abc
 The x509 object type is CRL:   
Certificate Revocation List (CRL):                                              
        Version 2 (0x1)                                                         
    Signature Algorithm: sha1WithRSAEncryption                                  
        Issuer: /CN=ca_root                                                     
        Last Update: Dec 15 08:24:28 2015 GMT                                   
        Next Update: Dec 22 20:44:28 2015 GMT                                   
        CRL extensions:                                                         
            X509v3 Authority Key Identifier:                                    
                keyid:B8:63:72:A4:5E:19:F3:B1:1D:71:E1:37:26:E1:46:39:01:B6:82:C
5                                                                                                                                                        
            1.3.6.1.4.1.311.21.1:                                               
                ...                                                             
            X509v3 CRL Number:                                                  
                365                                                             
            1.3.6.1.4.1.311.21.4:                                               
151222083428Z   .                                                               
Revoked Certificates:                                                           
    Serial Number: 28C63371000000003E04                                         
        Revocation Date: Dec 15 08:34:27 2015 GMT                               
        CRL entry extensions:                                                   
            X509v3 CRL Reason Code:                                             
                Key Compromise                                                  
    Serial Number: 28C2AB44000000003E01                                         
        Revocation Date: Dec 15 08:30:35 2015 GMT                               
        CRL entry extensions:                                                   
            X509v3 CRL Reason Code:                                             
                Key Compromise                                                  
    Serial Number: 2364247C000000003D48                                         
        Revocation Date: Dec 14 07:29:05 2015 GMT                               
        CRL entry extensions:                                                   
            X509v3 CRL Reason Code:                                             
                Key Compromise                                                  
    Serial Number: 23627E0F000000003D47                                         
        Revocation Date: Dec 14 07:27:29 2015 GMT                               
        CRL entry extensions:                                                   
            X509v3 CRL Reason Code:                                             
                Key Compromise                                                  
    Serial Number: 2360F397000000003D46                                         
        Revocation Date: Dec 14 07:25:48 2015 GMT                               
        CRL entry extensions:                                                   
            X509v3 CRL Reason Code:                                             
                Key Compromise                                                        
    Signature Algorithm: sha1WithRSAEncryption                                  
         7a:71:54:d1:66:13:6f:9f:62:03:ac:9a:5f:42:10:15:87:46:                 
         e2:a1:49:0f:44:19:ce:ed:6f:c3:0e:9f:31:fe:62:d5:08:0b:                 
         a4:a7:7e:80:4d:9a:5b:a9:55:5c:1a:73:30:62:48:e1:28:0e:                 
         5b:bd:ae:04:7e:83:36:43:62:fc:f7:12:0d:f9:f6:ac:2b:be:                 
         9c:50:6c:67:19:43:12:31:67:c2:06:31:97:e1:34:75:1c:87:                 
         53:5f:e6:15:a1:33:ad:00:e7:14:68:59:05:67:28:78:a0:91:                 
         49:7b:ab:87:9f:9e:53:18:4b:54:53:1c:b7:1c:2d:3e:b3:57:                 
         63:95:1d:01:29:9e:6c:41:07:40:2d:28:d8:82:7b:d6:22:e6:                 
         0d:0c:4c:af:84:96:8e:f1:29:28:d4:9e:1c:37:3b:1b:2e:34:                 
         a7:15:e3:29:d1:c0:69:0a:7f:24:b1:ce:00:f1:b3:da:ef:8a:                 
         1b:14:36:f9:14:6c:b0:66:86:a8:92:95:fc:e3:78:aa:d6:d0:                 
         cb:4d:26:b4:bc:41:c4:47:19:d0:2a:0c:ac:c6:aa:95:c2:03:                 
         33:8a:39:45:3e:c3:ad:46:7d:8a:03:4d:08:e2:d0:9a:ae:39:                 
         fa:8d:61:d0:1c:6c:03:d4:48:2e:4d:37:60:a1:06:a4:ea:c8:                 
         0d:20:59:c2                                                            
                                                                                
Pki realm name: abc                                                             
CRL file name: abc.crl 
Table 14-84  Description of the display pki crl command output

Item

Description

The x509 object type is CRL

x509 object type is CRL.

Certificate Revocation List (CRL)

Information about the CRL.

Signature Algorithm Algorithm of signature.
Issuer Information of issuer.

Last Update

Last time the CRL has been updated.

Next Update

Next time the CRL will be updated.

CRL extensions

CRL extended attribute.

X509v3 Authority Key Identifier X509v3 authority key identifier.

X509v3 CRL Number

X509v3 CRL number.

Revoked Certificates

Certificate that is revoked.

Serial Number

Serial number of the CRL.

Revocation Date

Date when the certificate was revoked.

CRL entry extensions CRL entry extensions.
X509v3 CRL Reason Code Reason why CRL is revoked.
Signature Algorithm Signature algorithm. It is configured using the enrollment-request signature message-digest-method command.
Pki realm name PKI realm name. It is configured using the pki realm (system view) command.
CRL file name CRL file name. It is configured using the pki import-crl command.

display pki entity

Function

The display pki entity command displays information about PKI entities.

Format

display pki entity [ entity-name ]

Parameters

Parameter Description Value
entity-name Specifies the name of a PKI entity. If the entity-name parameter is not specified, information about all entities is displayed. The value must be an existing PKI entity name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays information about PKI entities, including names, common names, countries, province, and location where the entities reside, and organizations to which entities belong.

Example

# Display information about all PKI entities.

<HUAWEI> display pki entity
PKI Entity Information:

  Entity Name      : a                                                          
  Common name      : chi                                                        
  Country          : -                                                          
  State            : A                                                          
  Locality         : -                                                          
  Organization     : A                                                          
  Organization unit: -                                                          
  FQDN             : www. e                                                     
  IP address       : -                                                          
  Email            : - 
  Serial-number    : - 
 Total Number: 1                         
Table 14-85  Description of the display pki entity command output

Item

Description

PKI Entity Information

Information of the PKI entity.

Entity Name

Entity name. It is configured using the pki entity command.

Common name

Common name of the entity. It is configured using the common-name command.

Country

Country where a PKI entity resides. It is configured using the country (PKI entity view) command.

State

Province where a PKI entity resides. It is configured using the state (PKI entity view) command.

Locality

Location of a PKI entity. It is configured using the locality command.

Organization

Organization to which a PKI entity belongs. It is configured using the organization command.

Organization unit

Organization unit to which a PKI entity belongs. It is configured using the organization-unit command.

FQDN

FQDN name of a PKI entity. It is configured using the fqdn command.

IP address

IP address of a PKI entity. It is configured using the ip-address command.

Email

Email address. It is configured using the email command.

Serial-number

Serial number of the entity. It is configured using the serial-number command.

display pki ocsp cache statistics

Function

The display pki ocsp cache statistics command displays statistics about cached OCSP responses.

Format

display pki ocsp cache statistics

NOTE:

Only devices in cloud management mode support this command.

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command shows statistics about cached OCSP responses, including the maximum number of OCSP responses that can be cached, cache update interval, and number of cached responses.

Example

# Display statistics about cached OCSP responses.

<HUAWEI> display pki ocsp cache statistics
                                                                                
=====================================================                           
    OCSP Cache Function: Enable                                                 
    OCSP Cache Max Number: 2
    OCSP Cache Refresh Interval: 5 minutes                                      
    OCSP Cache Current Number: 0                                                
=====================================================   
Table 14-86  Description of the display pki ocsp cache statistics command output

Item

Description

OCSP Cache Function

Whether OCSP caching is enabled.
  • Enable
  • Disable

It is configured using the pki ocsp response cache enable command.

OCSP Cache Max Number

Maximum size of OCSP cache. It is configured using the pki ocsp response cache number command.

OCSP Cache Refresh Interval

OCSP cache update interval. It is configured using the pki ocsp response cache refresh interval command.

OCSP Cache Current Number

Number of cached OCSP responses.

display pki ocsp cache detail

Function

The display pki ocsp cache detail displays the detail information of the OCSP cache.

NOTE:

Only devices in cloud management mode support this command.

Format

display pki ocsp cache detail

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to view detail information of the OCSP cache.

Example

# Display the detail information of the OCSP cache.

<HUAWEI> display pki ocsp cache detail
===================================================
Cache Hash Status Info:                                                         
num_items             = 0                                                       
num_nodes             = 8                                                       
num_alloc_nodes       = 16                                                      
num_expands           = 0                                                       
num_expand_reallocs   = 0                                                       
num_contracts         = 0                                                       
num_contract_reallocs = 0                                                       
num_hash_calls        = 0                                                       
num_comp_calls        = 0                                                       
num_insert            = 0                                                       
num_replace           = 0                                                       
num_delete            = 0                                                       
num_no_delete         = 0                                                       
num_retrieve          = 0                                                       
num_retrieve_miss     = 0                                                       
num_hash_comps        = 0                                                       
                                                                                
Cache Hash Node Status Info:                                                    
node      0 ->   0                                                              
node      1 ->   0                                                              
node      2 ->   0                                                              
node      3 ->   0                                                              
node      4 ->   0                                                              
node      5 ->   0                                                              
node      6 ->   0                                                              
node      7 ->   0                                                              
                                                                                
Cache Hash Node Usage Status Info:                                              
0 nodes used out of 8                                                           
0 items                                                                         
=====================================================
Table 14-87  Description of the display pki ocsp cache detail command output

Item

Description

Cache Hash Status Info

Hash status of the OCSP cache.

num_items

Number of available hash elements.

num_nodes

Number of requested hash nodes.

num_alloc_nodes

Maximum number of hash nodes that can be expanded.

num_expands

Number of hash node expansion application times.

num_expand_reallocs

Number of expanded hash nodes.

num_contracts

Number of hash node reduction times.

num_contract_reallocs

Number of reduced hash nodes.

num_hash_calls

Number of times the hash function is invoked.

num_comp_calls

Number of times the hash comparison function is invoked.

num_insert

Number of inserted hash nodes.

num_replace

Number of replaced hash nodes.

num_delete

Number of deleted hash nodes.

num_no_delete

Number of undeleted hash nodes.

num_retrieve

Number of times the hash nodes in the OCSP cache are matched.

num_retrieve_miss

Number of times the hash nodes in the OCSP cache are not matched.

num_hash_comps

Number of times the hash nodes in the OCSP cache are compared.

Cache Hash Node Status Info

Hash node status in the OCSP cache. For example, node 0 -> 0 indicates that the number 0 node is unused; node 0 -> 1 indicates that the number 0 node is in use.

Cache Hash Node Usage Status Info

Hash node use status in the OCSP cache.

n nodes used out of 8

There are 8 hash nodes, and n nodes are in use.

n items

The nth hash element.

display pki ocsp server down-information

Function

The display pki ocsp server down-information command displays the DOWN state information of the OCSP server recorded on the device.

NOTE:

Only devices in cloud management mode support this command.

Format

display pki ocsp server down-information

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

There is a mechanism to determine whether the OCSP server is down. When the OCSP server corresponding to a URL cannot be accessed, the server status is set to DOWN. In this case, the device will not send OCSP requests to the URL for 10 minutes.

Example

# Display the DOWN state information of the OCSP server.

<HUAWEI> display pki ocsp server down-information
                                                                                                                                    
=====================================================                                                                               
  Server URL: http://172.16.73.168/ocsp                                                                                             
  Timeout Times: 1                                                                                                                  
  Last timeout until now: 5 seconds                                                                                                 
=====================================================    
Table 14-88  Description of the display pki ocsp server down-information command output

Item

Description

Server URL

URL of an unreachable OCSP server. It is configured using the ocsp url command.

Timeout Times

Connection timeouts.

Last timeout until now

Time elapsed since the last connection timeout and now.

display pki peer-certificate

Function

The display pki peer-certificate command displays the imported certificates of the remote device.

Format

display pki peer-certificate { name peer-name | all }

Parameters

Parameter

Description

Value

name peer-name

Specifies the name of peer certificate.

The value must be an existing peer certificate file name.

all

Displays brief information about all certificates of the remote device.

-

Views

All views

Default Level

2: Configuration level

Usage Guidelines

This command shows information about imported certificates of the remote device, including signature algorithm, issuer, validity period, subject, public key, and PKI realm.

Example

# Display brief information about all certificates of the remote device.

<HUAWEI> display pki peer-certificate all
  Peer certificate name :abcd
  Serial Number:
    12 19 3c d3 00 00 00 00 04 9a
  Subject:
    CN=a

Total Number: 1

# Display detailed information about the certificate abcd of the remote device.

<HUAWEI> display pki peer-certificate name abcd
The x509 object type is certificate:                                           
Certificate:                                                                    
    Data:                                                                       
        Version: 3 (0x2)                                                        
        Serial Number:                                                          
            12:19:3c:d3:00:00:00:00:04:9a                                       
    Signature Algorithm: sha1WithRSAEncryption                                  
        Issuer: CN=CA_ROOT                                                      
        Validity                                                                
            Not Before: Feb 19 13:00:22 2013 GMT                                
            Not After : Feb 19 13:10:22 2014 GMT                                
        Subject: CN=a                                                           
        Subject Public Key Info:                                                
            Public Key Algorithm: rsaEncryption                                 
                Public-Key: (512 bit)                                           
                Modulus:                                                        
                    00:b9:8b:47:65:a9:99:ed:58:b2:63:74:65:56:d1:               
                    08:bb:1d:8f:4e:ed:72:a2:4a:ef:d8:45:3d:53:db:               
                    c8:eb:df:53:9e:5f:c7:96:46:65:14:1a:ab:72:e9:               
                    a2:71:c8:7a:f0:51:0c:cc:39:bb:14:75:7d:f1:bc:               
                    88:2c:a7:2e:e9                                              
                Exponent: 65537 (0x10001)                                       
        X509v3 extensions:                                                      
            X509v3 Subject Key Identifier:                                      
                E2:5B:8A:03:58:01:C8:E3:14:BC:18:5B:F9:BD:00:68:5B:D1:90:4E     
            X509v3 Authority Key Identifier:                                    
                keyid:CE:BA:CA:39:C7:AD:6A:CB:85:17:D0:8A:8E:28:02:0B:52:D4:D9:2
B                                                                               
                                                                                
            X509v3 CRL Distribution Points:                                     
                                                                                
                Full Name:                                                      
                  URI:http://10.136.55.76:8080/CertEnroll/CA_ROOT.crl           
                                                                                
            Authority Information Access:                                       
                CA Issuers - URI:ldap:///CN=CA_ROOT,CN=AIA,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=esap,DC=com?cACertificate?base?objectClass
=certificationAuthority                                                         
                CA Issuers - URI:http://huawei-nzm5gw2g.esap.com/CertEnroll/huaw
ei-nzm5gw2g.esap.com_CA_ROOT.crt                                                
                                                                                
            1.3.6.1.4.1.311.20.2:                                               
                .0.I.P.S.E.C.I.n.t.e.r.m.e.d.i.a.t.e.O.f.f.l.i.n.e              
    Signature Algorithm: sha1WithRSAEncryption                                  
         bb:8b:77:af:ae:df:2e:0c:bd:7a:29:6e:76:23:ad:7d:69:6d:                 
         0d:16:d9:18:82:ad:4f:52:b3:cd:1c:1a:fc:34:00:33:36:8d:                 
         47:2a:20:24:52:b7:02:75:cc:ab:3b:4c:f8:2a:a9:a9:4f:46:                 
         fb:c2:21:00:c1:b5:c2:67:0c:b1:99:2a:62:7b:71:4d:e7:c2:                 
         93:29:bb:ec:b1:e9:28:82:2f:77:61:ec:28:66:35:cb:5f:15:                 
         04:73:77:d8:26:91:7b:a2:56:74:51:33:0b:f1:04:28:24:b2:                 
         71:58:ad:5c:f8:96:17:0d:f7:b7:5f:4b:b9:ed:09:79:bc:54:                 
         21:c5:9b:90:f7:7b:21:aa:5a:aa:6f:51:e4:79:ce:b8:35:8b:                 
         19:90:51:94:e6:c2:61:f8:24:46:85:4c:a9:69:bd:8a:ef:c2:                 
         64:b8:19:ab:0b:6b:ec:34:41:8d:43:43:44:d1:1b:4c:4a:23:                 
         cd:40:52:7a:2e:8c:5d:b6:62:55:93:45:c8:3e:de:b1:51:82:                 
         d0:bb:7c:b8:09:7b:97:08:7b:93:17:40:a8:6f:2d:ed:f4:3e:                 
         36:10:2a:20:e3:47:e1:fb:ad:fe:97:73:a7:53:d0:f8:52:ca:                 
         b6:0e:e8:f1:df:6c:7a:37:39:bb:82:f9:03:c9:4a:71:65:df:                 
         6f:37:e6:b7                                                            
                                                                                
Pki realm name: -                                                               
Certificate file name: -                                                        
Certificate peer name: abcd  
Table 14-89  Description of the display pki peer-certificate command output

Item

Description

Peer certificate name Peer certificate name.
The x509 object type is certificate x509 object type is certificate.
Certificate Information about a certificate.
Data Data of a certificate.
Version Version of a certificate.
Serial Number Serial number of a certificate.
Signature Algorithm Signature algorithm of a certificate.
Issuer Issuer of a certificate.
Validity Validity period of a certificate.

Subject

Subject of the certificate.

Subject Public Key Info

Public key of the certificate.

Public Key Algorithm

Algorithm of the Public key.

Public-Key

Information about the RSA public key.

Modulus Key modulus.
Exponent Key exponent.
X509v3 extensions X509v3 certificate extensions.
X509v3 Subject Key Identifier Identifier of a subject key.
X509v3 CRL Distribution Points CRL distribution points.
Full Name Full name of CDP.
Authority Information Access Authority information access.
Pki realm name PKI realm name.
Certificate file name Certificate file name.
Certificate peer name Certificate peer name.

display pki realm

Function

The display pki realm command displays PKI realm information.

Format

display pki realm [ realm-name ]

Parameters

Parameter Description Value
realm-name

Displays the detailed information about a PKI realm.

If the parameter is left blank, information about all PKI realms is displayed.

The PKI realm name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays details about a PKI realm, including PKI realm name, associated CA, CA certificate subject name, URL of the certificate enrolled through SCEP, PKI entity name, digital fingerprint algorithm of CA certificate, and digital fingerprint of CA certificate.

Example

# Display information about all PKI realms.

<HUAWEI> display pki realm abc
 Realm Name : abc                                                               
 CA ID: CA_ROOT                                                                 
 CA Name: "/CN=ca_root"                                                         
 Enrollment URL: http://10.136.7.196:8080/certsrv/mscep/mscep.dll               
 Certificate Request Interval(Minutes): 1                                       
 Certificate Request Times: 5                                                   
 Enrollment Mode: RA                                                            
 Enrollment Method: SCEP                                                        
 Entity Name: abc                                                               
 CA Certificate Fingerprint Arithmetic: sha256                                  
 CA Certificate Fingerprint: e71add0744360e91186b828412d279e06dcc15a4ab4bb3d1384
2820396b526a0 
 OCSP Nonce: Enable
 OCSP URL: -
 Method for Getting CRL: HTTP                                                   
 CDP URL: -                                                                     
 Certificate Revocation Check Method: -                                         
 RSA Key Name: abc                                                              
 Auto-enroll: Enable 
 Auto-enroll Percent: 100% 
 Auto-enroll Regenerate: Enable
 Auto-enroll Regenerate Key-size: 2048 
 Auto-enroll Updated-effective: Disable 
 Password Cipher: Enable 
 Password: %^%#:,3/YY@~[@(`1DBbZ&o$s`B\@S+3:UT0tF9EzSM:%^%# 
 Crl Update-period(Hours): 8                                                    
 Crl Cache: Enable                                                              
 Key-usage: -                                                                   
 Vpn-instance: -                                                                
 Source Interface: -
 Enrollment-request Signature Message-digest-method: SHA256
                                                                                
 Total Number: 1 
Table 14-90  Description of the display pki realm command output

Item

Description

Realm Name

PKI realm name. It is configured using the pki realm (system view) command.

CA ID

ID of the CA associated with the PKI realm.

CA Name

Subject name of a CA certificate.

Enrollment URL

URL of the certificate enrolled on the SCEP server. It is configured using the enrollment-url command.

Certificate Request Interval(Minutes)

Interval between two certificate enrollment status queries.

Certificate Request Times

Maximum number of certificate enrollment status queries.

Enrollment Mode

Certificate enrollment mode (whether enrolled through RA). It is configured using the enrollment-url command.

Enrollment Method

Certificate enrollment method, including:

  • SCEP: obtains certificate from CA using the SCEP protocol.

  • Self-Signed: obtains certificate using self-signature.

Entity Name

PKI entity name. It is configured using the entity command.

CA Certificate Fingerprint Arithmetic

Fingerprint algorithm of the CA certificate. It is configured using the fingerprint command.

CA Certificate Fingerprint

Digital fingerprint of the CA certificate. It is configured using the fingerprint command.

OCSP Nonce

Whether a nonce extension is added to the OCSP request sent by a PKI entity.
  • Enable: A nonce extension is added to the OCSP request sent by a PKI entity.
  • Disable: A nonce extension is not added to the OCSP request sent by a PKI entity.

It is configured using the ocsp nonce enable command.

OCSP URL

OCSP server's URL. It is configured using the ocsp url command.

Method for Getting CRL

Method of obtaining CRL.
  • SCEP: updates the CRL automatically using SCEP. It is configured using the crl scep command.

  • HTTP: updates the CRL automatically using HTTP. It is configured using the crl http command.

CDP URL

URL of the CDP. It is configured using the cdp-url command.

Crl Cache

Whether the PKI realm is allowed to use the CRL in cache.
  • Enable: The PKI realm is allowed to use the CRL in cache.
  • Disable: The PKI realm is not allowed to use the CRL in cache.

To configure whether to allow the PKI realm to use the CRL in cache, run the crl cache command.

Certificate Revocation Check Method

Certificate status check method. It is configured using the certificate-check command.

RSA Key Name

RSA key. It is configured using the rsa local-key-pair command.

Auto-enroll

Whether automatic certificate enrollment is enabled.
  • Enable: Automatic certificate enrollment is enabled.
  • Disable: Automatic certificate enrollment is disabled.

It is configured using the auto-enroll command.

Auto-enroll Percent

The percentage of the certificate's validity period. It is configured using the auto-enroll command.

Auto-enroll Regenerate

Whether the RSA key pair will be generated during certificate updates.

  • Enable: The RSA key pair will be generated during certificate updates.
  • Disable: The RSA key pair will not be generated during certificate updates.

It is configured using the auto-enroll command.

Auto-enroll Regenerate Key-size

RSA key length. It is configured using the auto-enroll command.

Auto-enroll Updated-effective

Whether the certificate takes effect immediately after being updated.
  • Enable: The certificate takes effect immediately after being updated.
  • Disable: The certificate does not take effect immediately after being updated.

It is configured using the auto-enroll command.

Password Cipher

Whether the challenge password can be used.
  • Enable: The challenge password can be used.
  • Disable: The challenge password cannot be used.

Password

Password used to apply for or revoke a certificate. It is configured using the password (PKI realm view) command.

Crl Update-period(Hours)

CRL update interval. It is configured using the crl update-period command.

Key-usage

Purpose information carried in a certificate request packet. It is configured using the key-usage command.

Vpn-instance

VPN to which the PKI realm is added. It is configured using the vpn-instance command.

Source Interface

Source interface used by the device to communicate with the PKI server. It is configured using the source interface command.

Enrollment-request Signature Message-digest-method

Digest method used for the enrollment request packet of signed certificate. It is configured using the enrollment-request signature message-digest-method command.

display pki rsa local-key-pair

Function

The display pki rsa local-key-pair command displays the public key in the RSA key pair.

Format

display pki rsa local-key-pair { pem | pkcs12 } filename [ password password ]

display pki rsa local-key-pair [ name key-name ] public [ temporary ]

Parameters

Parameter Description Value
pem Indicates that the file format is PEM. -
pkcs12 Indicates that the file format is PKCS12. -
filename Specifies the name of the file that contains the RSA key pair. The file name must already exist.
password password Specifies the decryption password of RSA key pair. The value must be the same as the password set by pki export rsa-key-pair. The value must be the name of an existing decryption password of the RSA key pair.
name key-name Specifies the RSA key pair name. The RSA key pair name must already exist.
temporary Displays information about the RSA key pair saved in the temporary zone. -

Views

All views

Default Level

3: Management level

Usage Guidelines

This command shows information about the RSA key pair and public key, including key pair creation time, key pair name, whether the key can be exported, and public key information.

If key-name is not specified, all RSA key pairs and public keys are displayed. If key-name is specified, the specified RSA key pair and public key are displayed.

Example

# Display information about all RSA key pairs.

<HUAWEI> display pki rsa local-key-pair public 

=====================================================                           
Time of Key pair created: 17:43:42  2016/4/18                                   
Key Name: abc                                                                   
Key Index: 0                                                                    
Key Modules: 2048 bit                                                           
Key Exportable: Yes                                                             
Key Type: RSA signature key                                                     
=====================================================                           
Key code:                                                                       
30820109                                                                        
  02820100                                                                      
    C23344E1 B2C2D653 EB134011 9266C6CC 7C18C45F                                
    440AF31F 98B29D4C D436757B F6785BB5 09EFA2A1                                
    09FDBB24 62F1914D 4F10678F 3BE8E3C0 E6F02FC9                                
    AFE2ADDE 98E07D2C A5732288 A5280D2B 6A785F59                                
    A8D19D37 9B80F7EF 1B15FB77 BD9C54D0 01AF270F                                
    90258F65 1A631282 50002C4F 23EF0482 1F62E356                                
    AC700041 B31AB3B4 5C7EB4C0 AFF2E5AF 3DDA4F4E                                
    F5B86502 08BA7AFE 37204C67 7149AE52 1462F25E                                
    16B777E8 E71BCFBE 0E9E02A7 C5FE6120 304BE6C3                                
    CEB2575A EA24EBB6 BA420994 C50F3662 D8F24F25                                
    0D833865 5A127754 2E954F7F 16292DAA AF9D2371                                
    E669ADFF 4EA9FFF8 CE8488D7 344EBCEB AAA74116                                
    B30EF506 C64A726E B1013CB4 E8FA6707                                         
  0203                                                                          
    010001                                                                      
Table 14-91  Description of the display pki rsa local-key-pair command output

Item

Description

Time of Key pair created

Time when the RSA key pair is created.

Key Name

Name of a key pair. It is configured using the pki rsa local-key-pair create command.

Key Index

Index of the key.

Key Modules

Number of bits of the key.

Key Exportable

Whether the key can be exported.

Key Type

Type of the key.

Key code

Public key in the RSA key pair.

email

Function

The email command configures an email address for a PKI entity.

The undo email command cancels the configuration.

By default, no email address for an entity is configured.

Format

email email-address

undo email

Parameters

Parameter Description Value
email-address Specifies the email address of an entity. The value is a string of 1 to 128 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), minus signs (-), periods (.), slashes (/), colons (:), at signs (@), underscores (_), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure an email address for the PKI entity, which is used as an alias of the entity.

After the email address is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this email address. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the email address of the PKI entity.

Example

# Set the email address to test@example.com for an entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] email test@example.com
Related Topics

enrollment self-signed

Function

The enrollment self-signed command configures self-signed certificate obtaining in the PKI realm.

The undo enrollment self-signed command restores the default certificate obtaining method.

By default, the certificate in a PKI realm, except the default PKI realm, is obtained in SCEP mode.

Format

enrollment self-signed

undo enrollment self-signed

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The enrollment self-signed command configures self-signed certificate obtaining in the PKI realm. The device can use the self-signed certificate obtained from the PKI realm default to support default HTTPS functions.

Precautions

The device does not support lifecycle management for self-signed certificates. For example, self-signed certificates cannot be registered, updated, or revoked on the device. To ensure security of the device and certificates, it is recommended the user's certificate be used.

To configure self-signed certificate obtaining, delete the certificate obtained in SCEP mode in the PKI realm.

By default, the certificate in the PKI realm default is obtained in self-signed mode.

After the enrollment self-signed command is run, the device will not generate certificate expiration logs when its self-signed certificate expires.

Example

# Configure self-signed certificate obtaining in the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] enrollment self-signed

enrollment-request signature message-digest-method

Function

The enrollment-request signature message-digest-method command sets the message digest method of signature for the enrollment request.

The undo enrollment-request signature message-digest-method command restores the default message digest method.

By default, the message digest method of signature for the enrollment request is sha-256.

Format

enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

undo enrollment-request signature message-digest-method

Parameters

Parameter Description Value
md5 Sets the digest method used for the enrollment request packet of signed certificate to MD5. -
sha1 Sets the digest method used for the enrollment request packet of signed certificate to SHA1. -
sha-256 Sets the digest method used for the enrollment request packet of signed certificate to SHA2-256. -
sha-384 Sets the digest method used for the enrollment request packet of signed certificate to SHA2-384. -
sha-512 Sets the digest method used for the enrollment request packet of signed certificate to SHA2-512. -

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

In SCEP local certificate application mode, after a CA server receives a certificate enrollment request from a PKI entity, the CA server requests a signature for authentication, and generates a local certificate only after the authentication is successful.

Other algorithms are more secure than MD5 and SHA1 algorithms and so are recommended.

Example

# Set the message-digest method of signature for enrollment request to be sha-384.

<HUAWEI> system-view
[HUAWEI] pki realm e
[HUAWEI-pki-realm-e] enrollment-request signature message-digest-method sha-384

enrollment-url

Function

The enrollment-url command configures the URL of the CA server.

The undo enrollment-url command deletes the URL of the CA server.

By default, the URL of the CA server is not configured.

Format

enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]

undo enrollment-url

Parameters

Parameter Description Value
esc Indicates that the URL address is in ASCII mode. -
url

Specifies the URL of the CA server.

The URL is in the format of http://server_location/ca_script_location. server_location can use only the IP address format and domain name resolution. ca_script_location is the path where CA's application script is located. For example, http://10.137.145.158:8080/certsrv/mscep/mscep.dll.

The value is a string that starts with http:// and consists of 1 to 128 case-sensitive characters without spaces.

interval minutes

Specifies the interval between two certificate enrollment status queries.

The value is an integer that ranges from 1 to 1440, in minutes. The default value is 1.

times count

Specifies the maximum number of certificate enrollment status queries.

The value is an integer that ranges from 1 to 100. The default value is 5.

ra Configures an RA to authenticate a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application. -

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

The URL refers to the address provided by a CA server for certificate application. For example, a CA server running Windows Server 2008 uses a URL address in the format http://host:port/certsrv/mscep/mscep.dll, in which host indicates the IP address of the CA server and port indicates the port number.

The keyword esc supports the entering of URLs that include the question mark (?) in the ASCII code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII code for the question mark (?). For example, if a user wants to enter http://abc.com?page1, the URL is http://abc.com\x3fpage1. If a user wants to enter http://www.abc.com?page1\x3f that includes both a question mark (?) and \x3f, the URL is http://www.abc.com\x3fpage1\\x3f.

Example

# Create a PKI realm test and configure the URL of the CA server.

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll ra

entity

Function

The entity command specifies a PKI entity that applies for a certificate.

The undo entity command cancels a PKI entity.

By default, no PKI entity is specified.

Format

entity entity-name

undo entity

Parameters

Parameter Description Value
entity-name

Specifies the name of a PKI entity.

The value must be an existing PKI entity name.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a PKI entity requests the local certificate in the PKI realm, the device encapsulates the configuration of the specified PKI entity into the certificate request.

Prerequisites
  1. The specified PKI entity has been configured by using the pki entity command.
  2. The common name of the PKI entity has been configured using the common-name command.
Precautions

A PKI realm can be bound to only one PKI entity.

Example

# Bind the PKI entity a to the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki entity a
[HUAWEI-pki-entity-a] common-name test
[HUAWEI-pki-entity-a] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] entity a

fingerprint

Function

The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.

The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.

By default, no CA certificate fingerprint is configured for CA certificate authentication.

Format

fingerprint { md5 | sha1 | sha256 } fingerprint

undo fingerprint

Parameters

Parameter Description Value
md5

Sets the digital fingerprint algorithm to MD5.

-
sha1 Sets the digital fingerprint algorithm to SHA1. -

sha256

Sets the digital fingerprint algorithm to SHA256. -
fingerprint

Specifies the digital fingerprint value.

This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

The digital fingerprint value is a hexadecimal string of case-insensitive characters.
  • An MD5 fingerprint consists of 32 characters (16 bytes).
  • An SHA1 fingerprint consists of 40 characters (20 bytes).
  • An SHA256 fingerprint consists of 64 characters (32 bytes).

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When obtaining a CA certificate, the device uses an algorithm to calculate the CA certificate fingerprint and compares the CA certificate fingerprint with the configured fingerprint. If the two values are the same, the device receives the CA certificate. When verifying a certificate, the device uses the public key of the CA certificate to authenticate the digital signature. If the digital signature can be decrypted, the certificate is verified.

Precautions

You can configure an algorithm to calculate the CA certificate fingerprint. If you run the fingerprint command multiple times in the same PKI realm view, only the latest configuration takes effect.

The MD5 and SHA1 algorithms have a low security level. SHA256 is recommended.

Example

# Configure the CA certificate fingerprint used in CA certificate authentication.

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] fingerprint sha256 e71add0744360e91186b828412d279e06dcc15a4ab4bb3d13842820396b526a0

fqdn

Function

The fqdn command configures a fully qualified domain name (FQDN) for an entity.

The undo fqdn command cancels the configuration.

By default, no FQDN is configured for a PKI entity.

Format

fqdn fqdn-name

undo fqdn

Parameters

Parameter Description Value
fqdn-name Specifies the FQDN of an entity. The value is a string of 1 to 255 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), minus signs (-), periods (.), slashes (/), colons (:), at signs (@), underscores (_), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure an FQDN for the PKI entity, which is used as an alias of the entity.

An FQDN is the unique identifier of a PKI entity. It consists of a host name and a domain name, and can be translated into an IP address. A sample of an FQDN is www.example.com.

After the FQDN is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this FQDN. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the FQDN of the PKI entity.

Example

# Set the FQDN to example.com for an entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] fqdn example.com
Related Topics

ip-address

Function

The ip-address configures an IP address for an entity.

The undo ip-address deletes the configuration.

By default, a PKI entity does not have an IP address.

Format

ip-address { ipv4-address | interface-type interface-number }

undo ip-address

Parameters

Parameter

Description

Value

ipv4-address Specifies the IPv4 address of a PKI entity. The value is in dotted decimal notation.
interface-type interface-number
Specifies an interface IP address of a PKI entity.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity include the identity information of the PKI entity. The CA identifies a certificate applicant based on identity information provided by a PKI entity. To facilitate applicant identification, configure an IP address for the PKI entity, which is used as an alias of the PKI entity.

After an IP address is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this IP address. After receiving the certificate request packet, the CA server verifies the packet. For each valid packet, the CA server generates a digital certificate carrying the device IP address.

Example

# Set the IP address for a PKI entity to 10.1.1.1.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] ip-address 10.1.1.1
Related Topics

key-usage

Function

The key-usage command configures the purpose description for a certificate public key.

The undo key-usage command deletes the purpose description of a certificate public key.

By default, a certificate public key does not have a purpose description.

Format

key-usage { ike | ssl-client | ssl-server } *

undo key-usage { ike | ssl-client | ssl-server } *

Parameters

Parameter

Description

Value

ike

Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel.

-

ssl-client

Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session.

-

ssl-server

Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session.

-

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

To improve certificate security, you can add the usage information of a key to the certificate request packet sent from the device to the CA server.

After receiving the certificate request packet, the CA server verifies the packet. For each valid packet, the CA server generates a digital certificate carrying the usage information of the key.

For example, when setting up an SSL session, the SSL client adds a digital signature and encrypts the key by using the certificate. After you specify the usage of a key as ssl-client by using the key-usage ssl-client command, the certificate generated by the CA server carries the usage information, including a digital signature and encrypted key. If you use this key to encrypt data, the key will be invalid.

Example

# Specify the usage of a key as ssl-client.
<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] key-usage ssl-client

locality

Function

The locality command configures a locality name for a PKI entity.

The undo locality command cancels the configuration.

By default, a PKI entity does not have a locality name.

Format

locality locality-name

undo locality

Parameters

Parameter Description Value
locality-name Specifies the locality name of an entity. The value is a string of 1 to 32 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), commas (,), minus signs (-), periods (.), slashes (/), colons (:), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure a locality name for the PKI entity, which is used as an alias of the entity.

After the locality name is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this locality name. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the locality name of the PKI entity.

Example

# Set the locality name to Beijing for a PKI entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] locality Beijing
Related Topics

ocsp nonce enable

Function

The ocsp nonce enable command adds a nonce extension to the OCSP request sent by a PKI entity.

The undo ocsp nonce enable command cancels the configuration.

By default, the OCSP request sent by a PKI entity contains a nonce extension.

NOTE:

Only devices in cloud management mode support this command.

Format

ocsp nonce enable

undo ocsp nonce enable

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

To improve security and reliability of communication between PKI entity and OCSP server, this command adds a nonce extension (a random value) to the OSCP request sent by the PKI entity. If the nonce extension values on the PKI entity and OCSP server are different, communication fails.

Example

# Add a nonce extension to the OCSP request sent by a PKI entity

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp nonce enable

ocsp signature enable

Function

The ocsp signature enable command enables the function of signing OCSP request packets.

The undo ocsp signature enable command disables the function of signing OCSP request packets.

By default, the function of signing OCSP request packets is disabled.

NOTE:

Only devices in cloud management mode support this command.

Format

ocsp signature enable

undo ocsp signature enable

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

When the certificate check mode is set to OCSP, the device sends OCSP request packets to the OCSP server. To improve access security, run this command to enable signing on OCSP request packets.

Example

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] ocsp signature enable

ocsp url

Function

The ocsp url command configures the Uniform Resource Locator (URL) address for the Online Certificate Status Protocol (OCSP) server.

The undo ocsp url command deletes the URL address of the OCSP server.

By default, an OCSP server does not have an URL address.

NOTE:

Only devices in cloud management mode support this command.

Format

ocsp url [ esc ] url-address

undo ocsp url

Parameters

Parameter Description Value
esc Indicates that the URL address is in ASCII mode. -
url-address Indicates the OCSP server's URL address. The value is a string starting with http:// and consisting of 1 to 128 case-sensitive characters without spaces.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

If a certificate to be checked through OCSP does not contain the AIA option, run this command to configure the OCSP server's URL. If the certificate contains the AIA option, run the ocsp-url from-ca command to configure the PKI entity to obtain OSCP server's URL from the AIA option.

Keyword esc supports the entering of URLs that include the question mark (?) in the ASCII code, and 3f is the hexadecimal ASCII code for the question mark (?). Therefore, the entered URL must be in \x3f format. For example, the URL that an administrator needs to enter is http://www.example.com\x3fpage1, instead of http://www.example.com?page1. If the administrator wants to configure http://www.example.com?page1\x3f that includes both a question mark (?) and \x3f, the administrator should add an escape character (\) to \x3f and enter http://www.example.com\x3fpage1\\x3f.

Example

# Set the OCSP server's URL address to http://10.1.1.1.

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp url http://10.1.1.1

ocsp-url from-ca

Function

The ocsp-url from-ca command configures the PKI entity to obtain the OCSP server's URL from the Authority Info Access (AIA) option in the CA certificate.

The undo ocsp-url from-ca command disables the PKI entity from obtaining the OCSP server's URL from the Authority Info Access (AIA) option in the CA certificate.

By default, a PKI entity does not obtain OCSP server's URL from the CA certificate's AIA option.

NOTE:

Only devices in cloud management mode support this command.

Format

ocsp-url from-ca

undo ocsp-url from-ca

Parameters

None

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

If a certificate to be checked through OCSP contains the AIA option, run this command to configure the PKI entity to obtain OSCP server's URL from the AIA option. If the certificate does not contain the AIA option, run the ocsp url command to configure the OCSP server's URL.

Example

# Configure the PKI entity to obtain OCSP server's URL from the CA certificate's AIA option.

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] ocsp-url from-ca

organization-unit

Function

The organization-unit command configures the department name for a PKI entity.

The undo organization-unit command restores the default setting.

By default, no department name is configured for a PKI entity.

Format

organization-unit organization-unit-name

undo organization-unit

Parameters

Parameter Description Value
organization-unit-name

Specifies the department name for a PKI entity.

The department name is a string of 1 to 31 case-sensitive characters. Names of departments are separated by commas (,). The total length of all department names ranges from 1 to 191.

The characters can be letters, integers, apostrophe ('), equal sign (=), brackets (), plus sign (+), comma (,), minus sign (-), dot (.), slash (/), colon (:), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure a department name for the PKI entity, which is used as an alias of the entity.

After the department name is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this department name. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the department name of the PKI entity.

Example

# Configure the department name of a PKI entity to Group1, Sale.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] organization-unit Group1,Sale
Related Topics

organization

Function

The organization command configures a PKI entity's organization name.

The undo organization command deletes a PKI entity's organization name.

By default, a PKI entity does not have an organization name.

Format

organization organization-name

undo organization

Parameters

Parameter Description Value
organization-name Specifies the organization name of the PKI entity. It is a string of 1 to 32 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), commas (,), minus signs (-), periods (.), slashes (/), colons (:), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure an organization name for the PKI entity, which is used as an alias of the entity.

After the organization name is configured for a PKI entity, the certificate request packet sent by the device to the CA server carries this organization name. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the organization name of the PKI entity.

Example

# Set the organization name of the PKI entity to org1.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] organization org1
Related Topics

password (PKI realm view)

Function

The password command sets the challenge password used for certificate application through SCEP, which is also used to revoke a certificate.

The undo password command deletes the challenge password used for certificate application through SCEP.

By default, no challenge password is configured.

Format

password cipher password

undo password

Parameters

Parameter Description Value
cipher password Specifies the challenge password used for certificate application through SCEP. The password is displayed in ciphertext.

The value is a string of case-sensitive characters. It cannot contain question marks (?). The password is in plaintext that contains 1 to 64 characters or in ciphertext that contains 48 to 108 characters.

NOTE:

To improve communication security, it is recommended that the certificate revocation password contains at least three types of lowercase letters, uppercase letters, numerals, and special characters, and contains at least six characters.

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

When a PKI entity uses SCEP to apply for a certificate from CA, CA needs to verify the challenge password of the entity. CA accepts the certificate application request only when the challenge password is correct. You need to run this command to set a challenge password for the PKI entity.

The challenge password is also used to revoke a certificate. It avoids misoperations in certificate revocation.

Example

# Set the challenge password used to apply for certificate through SCEP.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] password cipher 6AE73F21E6D3571D

pki built-in-ca match-rsa-key

Function

The pki built-in-ca match-rsa-key command configures a device to search for the RSA key pair associated with a specific SSL decryption certificate.

Format

pki built-in-ca match-rsa-key certificate-filename file-name

Parameters

Parameter Description Value
file-name Specifies the name of an SSL decryption certificate. It must be the name of an existing SSL decryption certificate.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Run this command to view the RSA key pair associated with an SSL decryption certificate. Then the system searches all local RSA key pairs for the desired one, and displays the key pair name.

Prerequisites

An SSL decryption certificate has been generated using the pki generate built-in-ca certificate command or an SSL decryption certificate has been imported.

Example

# Configure a device to search for the RSA key pair that matches certificate file rsakey_builtinca.cer.

<HUAWEI> system-view
[HUAWEI] pki generate built-in-ca certificate rsa-key-pair rsakey entity entity1
 Please enter the file name for built in CA certificate <length 1-64> : rsakey_builtinca.cer
 Info: Generate built in CA certificate successfully.
[HUAWEI] pki built-in-ca match-rsa-key certificate-filename rsakey_builtinca.cer
 Info: The file rsakey_builtinca.cer contains certificates 1.                                     
 Info: Certificate 1 from file rsakey_builtinca.cer matches RSA key rsakey.  

pki create-certificate

Function

The pki create-certificate command creates a self-signed certificate.

Format

pki create-certificate self-signed filename file-name

Parameters

Parameter

Description

Value

self-signed

Creates a self-signed certificate.

-

filename file-name

Specifies the name of a certificate file.

The value is a string of 1 to 64 case-insensitive characters without spaces or question marks.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a self-signed certificate or local certificate is generated by the device, the certificate file is saved in the storage device as a PEM file. You can export the certificate for other devices to use. This simplifies certificate issue process.

When you run the pki create-certificate command, the system asks you to enter certificate information, for example, PKI entity parameters, certificate file name, the validity time of certificate and RSA key length.

Precautions

The device does not provide lifecycle management for self-signed certificates. For example, self-signed certificates cannot be updated or revoked on the device. To ensure security of the device and certificates, a local certificate is recommended.

Example

# Create a self-signed certificate huawei.

<HUAWEI> system-view
[HUAWEI] pki create-certificate self-signed filename huawei

pki delete-certificate

Function

The pki delete-certificate command deletes a certificate from the memory.

Format

pki delete-certificate { ca | local | ocsp } realm realm-name

NOTE:

Only devices in cloud management mode support the ocsp parameter.

Parameters

Parameter Description Value
ca Deletes a CA certificate. -
local Deletes a local certificate. -
ocsp Deletes an Online Certificate Status Protocol (OCSP) server's certificate. -
realm realm-name Specifies the name of the PKI realm to which a certificate belongs. The value must be an existing PKI realm name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When the certificate expires or you want to apply for a new certificate, run this command to delete the CA, OCSP, or local server certificate from the memory.

Prerequisites

Example

# Delete the local certificate from the memory.

<HUAWEI> system-view
[HUAWEI] pki delete-certificate local realm abc

pki delete-certificate built-in-ca

Function

The pki delete-certificate built-in-ca command deletes an SSL decryption certificate from the memory.

Format

pki delete-certificate built-in-ca filename file-name

Parameters

Parameter Description Value
filename file-name Specifies the name of the SSL decryption certificate file. The SSL decryption certificate file name must already exist in the memory.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an SSL decryption certificate expires or you want to apply for a new certificate, run the pki delete-certificate built-in-ca command to delete the current SSL decryption certificate from the memory. This command will not delete the certificate files in the device storage.

Prerequisites

The SSL decryption certificate has been imported to the memory using the pki import-certificate built-in-ca command.

Example

# Delete an SSL decryption certificate from the memory.

<HUAWEI> system-view
[HUAWEI] pki import-certificate built-in-ca filename test_builtinca.cer
 Info: Succeeded in importing the built in CA certificate.  
[HUAWEI] pki delete-certificate built-in-ca filename test_builtinca.cer

pki delete-crl

Function

The pki delete-crl command deletes a CRL from the memory.

Format

pki delete-crl realm realm-name

Parameters

Parameter

Description

Value

realm realm-name

Specifies the name of the PKI realm that the certificate belongs to.

The value must be an existing PKI realm name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a CRL expires, run this command to delete a CRL file from the memory. This command will not delete the CRL files in storage card.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Example

# Delete the CRL of PKI realm abc from the memory.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki delete-crl realm abc

pki enroll-certificate

Function

The pki enroll-certificate command configures manual certificate enrollment.

Format

pki enroll-certificate realm realm-name [ pkcs10 [ filename filename ] ] [ password password ]

Parameters

Parameter Description Value
realm realm-name

Specifies the name of a PKI realm.

The PKI realm name must already exist.

pkcs10

Uses the PKCS#10 format to display the local certificate request information.

It can be used to request certificates in offline mode.
-
filename filename

Saves the certificate request information in a specified file. The certificate request information is saved in the file in PKCS#10 format and is sent to the CA in outband mode.

The value is a string of 1 to 64.

password password Indicates a challenge password, which is used to request certificates in online mode. When the CA server processes the certificate request using the challenge password, you must set a challenge password on the entity, and the challenge password must be the same as the password configured on the CA server.

The value is a string of case-sensitive characters without question marks (?) or spaces. It can be a plain-text string of 1 to 64 characters or a cipher-text string of 48 to 108 characters.

NOTE:

To improve certificate security, it is recommended that a password consist of at least two of the following: lowercase letters, uppercase letters, numerals and special characters. In addition, the password must contain at least 6 characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Manual certificate application is online or offline.

  • Online mode (in-band mode)

    In online requests, entities request certificates from CAs using the SCEP protocol. Then the entities store the obtained certificates on the flash of devices.

  • Offline mode (out-of-band mode)

    The device generates a certificate request file. The administrator sends the file to the CA server using methods such as disks and emails.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

  • If pkcs10 is specified, an entity applies to a CA for a certificate in offline mode. The entity saves the certificate request information in a file in PKCS#10 format and sends the file to the CA in outband mode.

  • If pkcs10 is not specified, an entity applies to a CA for a certificate in online mode.

  • In online mode, a PKI entity obtains a CA certificate and imports it to memory, and then obtains a local certificate and imports it to memory.

  • After the enrollment self-signed command is used in the PKI realm, it is not allowed to use the pki enroll-certificate command to configure manual certificate enrollment.

Example

# Enroll a certificate for the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki enroll-certificate realm abc

pki entity

Function

The pki entity command creates a PKI entity and displays the PKI entity view, or displays the view of an existing PKI entity.

The undo pki entity command deletes a PKI entity.

By default, no PKI entity is configured.

Format

pki entity entity-name

undo pki entity entity-name

Parameters

Parameter

Description

Value

entity-name

Specifies the name of a PKI entity.

The value is a string of 1 to 64 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A PKI entity refers to the applicant or user of a certificate. A PKI entity is required when you use PKI features. After a PKI entity is created, you can configure attributes for it, for example, common name, country code, email address, FQDN, IP address, geographic area, organization, department, state, and province. These attributes include identity information of the PKI entity. The identity information will be added to the subject of a PKI entity.

NOTE:

Windows Server 2003 has a low processing performance. For the device to connect to a Windows Server 2003, the device cannot have too many entities configured or use a large-sized key pair.

Example

# Configure a PKI entity entity1 and enter the PKI entity view.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1]

pki export-certificate

Function

The pki export-certificate command exports a certificate to the device storage.

Format

pki export-certificate { ca | local | ocsp } realm realm-name { pem | pkcs12 }

NOTE:

Only devices in cloud management mode support the ocsp parameter.

Parameters

Parameter

Description

Value

ca

Exports a CA certificate.

-

local

Exports a local certificate.

-

ocsp

Exports the Online Certificate Status Protocol (OCSP) certificate.

-

realm realm-name

Specifies the PKI realm name of a certificate.

The PKI realm name must already exist.

pem

Exports a certificate in PEM format.

-

pkcs12

Exports a certificate in P12 format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To copy a certificate to another device, run the pki export-certificate command to export a certificate to the flash of the local device first, and then transfer the certificate to another device using a file transfer protocol.

Before using this command, run the display pki certificate command to view information about certificates on the device.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

When the exported certificate file does not contain a private key, the device does not encrypt this file.

When you export the private key, the system asks you to enter the private key file name. If the private key file name and the certificate file name are the same, the private key and certificate are stored in the same file. If they are different, they are stored in different files.

When you export the private key, the system asks you to enter the private key file format and set the password. The password will be used when you run the pki import-certificate command to import this private key.

Using a simple password may introduce security risks. The password must consist of at least two types of the following: uppercase letters, lowercase letters, numerals, and special characters.

After the enrollment self-signed command is used in the PKI realm, you cannot use the pki export-certificate command to export certificates to files.

Example

# Export the local certificate in the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki export-certificate local realm abc pem
 Please enter the name of certificate file <length 1-127>: aa  
 If you only export the certificate, do not export the private key.   
 You can directly enter empty of private key file.
 Please enter the name of private key file <length 1-127>:     
 Info: Succeeded in exporting the certificate.

pki export built-in-ca rsa-key-pair

Function

The pki export built-in-ca rsa-key-pair command exports the RSA key pair to the flash.

Format

pki export built-in-ca rsa-key-pair key-name [ and-certificate certname ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password

Parameters

Parameter Description Value
key-name Specifies the RSA key pair name. The value must be an existing RSA key pair name.
and-certificate certname Indicates that the SSL decryption certificate is exported together with the associated RSA key pair. The value must be an existing SSL decryption certificate name.
pem file-name Indicates that the RSA key pair to be exported is in the PEM format and specifies the name of the file to be exported.

The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). When the value contains a directory, it is a string of 1 to 127 characters, for example, flash:/8ab3/ab3.pem.

pkcs12 file-name Indicates that the RSA key pair to be exported is in the PKCS12 format and specifies the file name to be exported.

The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). When the value contains a directory, it is a string of 1 to 127 characters, for example, flash:/8ab3/ab3.pem.

3des | aes | des Sets the encryption algorithm to AES, DES or 3DES if a file is exported in the PEM format. By default, AES is used.
NOTE:
For security, DES and 3DES algorithms are not recommended.
-
password password Specifies the password for the RSA key pair file. This password is used when you import a RSA key pair file.

The value is a string of 6 to 32 case-sensitive characters without question marks (?).

To enhance security, a password must meet the minimum strength requirements, that is, the password needs to contain at least three types of the following characters: uppercase letters, lowercase letters, numerals, and special characters, such as exclamation points (!), at signs (@), number signs (#), dollar signs ($), and percent (%).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to transfer or back up the RSA key pair. After the configuration is complete, you can generate a PEM or PKCS12 file containing the RSA key pair (or also the SSL decryption certificate) in the flash.

Prerequisites

The RSA key pair has been created for the SSL decryption certificate using the pki rsa built-in-ca command with the exportable parameter specified, or the RSA key pair of the SSL decryption certificate has been imported to the memory using the pki import built-in-ca rsa-key-pair command with the exportable parameter specified.

Precautions

An RSA key pair is sensitive information. Delete or destroy the exported RSA key pair from your device or storage device immediately after you do not use it.

Example

# Export RSA key pair key2 to file aaa.pem and set the encryption method to AES.

<HUAWEI> system-view
[HUAWEI] pki rsa built-in-ca key2 create exportable
 Info: The name of the new key-pair will be: key2
 The size of the public key ranges from 512 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
.......+++ 
.............................+++  
[HUAWEI] pki export built-in-ca rsa-key-pair key2 pem aaa.pem aes password Hello@123
 Warning: Exporting the key pair impose security risks, are you sure you want to
 export it? [y/n]:y                                                             
 Info: Succeeded in exporting the RSA key pair in PEM format. 

pki export rsa-key-pair

Function

The pki export rsa-key-pair command exports the RSA key pair to the flash and allows the export of the associated certificate.

Format

pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair on the device. The value must be an existing RSA key pair name.
and-certificate certificate-name Indicates that the certificate related to the RSA key pair are exported. The value must be an existing certificate file name.
pem file-name Indicates that the RSA key pair to be exported is in the PEM format and specifies the name of the file to be exported.

The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). When the value contains a directory, it is a string of 1 to 127 characters, for example, flash:/8ab3/ab3.pem.

pkcs12 file-name Indicates that the RSA key pair to be exported is in the PKCS12 format and specifies the file name to be exported.

The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). When the value contains a directory, it is a string of 1 to 127 characters, for example, flash:/8ab3/ab3.pem.

3des | aes | des Sets the encryption algorithm to DES, 3DES or AES if a file is exported in the PEM format. The default value is AES.
NOTE:
DES and 3DES are less secure than AES and are not recommended.
-
password password Specifies the encryption password for the RSA key pair file. This password is used when you import an RSA key pair file.

The value is a string of 6 to 32 case-sensitive characters without question marks (?).

To enhance security, a password must contain at least two types of the following characters: uppercase letters, lowercase letters, numerals, and special characters, such as exclamation points (!), at signs (@), number signs (#), dollar signs ($), and percent (%).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To transfer or back up an RSA key pair, run this command to generate the PEM or PKCS12 file carrying this RSA key pair (which may include the certificate) in the flash.

Before using this command, run the display pki rsa local-key-pair command to view information about the RSA key pairs on the device.

Prerequisites

The RSA key pair has been created and configured to be exportable using the pki rsa local-key-pair create command or the RSA key pair has been imported to the memory using the pki import rsa-key-pair command.

Precautions

The RSA key pair is sensitive information. Delete and destroy the exported RSA key pair on the device or storage device immediately after you do not need it.

Example

# Export the RSA key pair key1 to the file aaa.pem and set the encryption method to AES.

<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create key1 exportable
 Info: The name of the new key-pair will be: key1
 The size of the public key ranges from 512 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
......+++               
....................+++ 
[HUAWEI] pki export rsa-key-pair key1 pem aaa.pem aes password Admin@1234
 Warning: Exporting the key pair impose security risks, are you sure you want to
 export it? [y/n]:y                                                             
 Info: Succeeded in exporting the RSA key pair in PEM format.

pki file-format

Function

The pki file-format command sets the format for the saved certificate request, certificate, and CRL.

By default, the device stores certificate request, certificate, and CRL in PEM format.

Format

pki file-format { der | pem }

Parameters

Parameter Description Value
der Indicates that the format of a certificate request file is DER. -
pem Indicates that the format of a certificate request file is PEM. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To change the format for the saved certificate request, certificate, and CRL, for example, to use the certificate and CRL obtained through SCEP, run the pki file-format command.

However, the certificate and CRL obtained through HTTP are downloaded directly and are not saved in the format configured using this command. The created self-signed certificate or local certificate can only be saved in PEM format.

Example

# Set the format of saved certificate request, certificate, and CRL to DER.

<HUAWEI> system-view
[HUAWEI] pki file-format der

pki generate built-in-ca certificate

Function

The pki generate built-in-ca certificate command generates an SSL decryption certificate.

Format

pki generate built-in-ca certificate rsa-key-pair rsa-key-pair-name entity entity-name

Parameters

Parameter Description Value
rsa-key-pair rsa-key-pair-name Specifies the name of the RSA key pair in an SSL decryption certificate. The RSA key pair must exist in the memory.
entity entity-name Specifies the PKI entity name. The PKI entity must have been configured and have a common name. If the PKI entity does not have a common name, an SSL decryption certificate cannot be generated.

Views

System view:

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To enable a proxy for SSL connection, the device complies with the certificate information on the real server and issues another certificate to the client using the SSL decryption certificate.

The generated SSL decryption certificate files are saved to the flash:/ directory.

Prerequisites

  1. An RSA key pair of the SSL decryption certificate has been created using the pki rsa built-in-ca command or the RSA key pair has been imported to the memory of the device using the pki import built-in-ca rsa-key-pair command.
  2. A PKI entity has been created using the pki entity command.
  3. The common name of the PKI entity has been configured using the common-name command.

Example

# Generate an SSL decryption certificate.

<HUAWEI> system-view
[HUAWEI] pki rsa built-in-ca rsakey create
 Info: The name of the new key-pair will be: rsakey
 The size of the public key ranges from 512 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
........++++++
........++++++
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] common-name huawei
[HUAWEI-pki-entity-entity1] quit
[HUAWEI] pki generate built-in-ca certificate rsa-key-pair rsakey entity entity1
 Please enter the file name for built in CA certificate <length 1-64> : key1
Info: Generate built in CA certificate successfully.

pki get-certificate

Function

The pki get-certificate command downloads a certificate to the device storage.

Format

pki get-certificate ca realm realm-name

Parameters

Parameter Description Value
ca Specifies a CA or RA certificate to be obtained. -
realm realm-name Specifies the PKI realm name of a certificate to be obtained. The value must be an existing PKI realm name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you request a local certificate for the PKI entity through SCEP, run this command to download a CA certificate to the device storage, and request a local certificate using the encrypted CA public key.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Precautions

After obtaining a CA certificate, the device automatically imports the certificate to the device memory.

If the same certificate exists on the device, delete the existing one; otherwise, the certificate cannot be obtained.

Example

# Obtain the CA certificate in the PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki get-certificate ca realm abc

pki get-crl

Function

The pki get-crl command updates CRL immediately.

Format

pki get-crl realm realm-name

Parameters

Parameter

Description

Value

realm realm-name

Specifies the PKI realm name of the CRL.

The value must be an existing PKI realm name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The CRL status is checked periodically when it is updated automatically. If the CRL on the device is likely to expire, configure this command to update CRL immediately.

After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.

Prerequisites

A PKI realm has been created using the pki realm (system view) command.

Example

# Configure the CRL immediate update.

<HUAWEI> system-view
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] quit
[HUAWEI] pki get-crl realm test

pki http

Function

The pki http command configures a device to use HTTP to download a CA certificate, local certificate, or CRL.

Format

pki http [ esc ] url-address save-name

Parameters

Parameter Description Value
esc Specifies the entering of URLs in the ASCII code. -
url-address Specifies the URL of a CA certificate, local certificate, or CRL. The value is a string of 1 to 128 case-sensitive characters.
save-name Specifies the name of a CA certificate, local certificate, or CRL saved on the flash of the device. The value is a string of 1 to 64 case-insensitive characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

Before you configure a device to use HTTP to download a CA certificate, local certificate, or CRL, ensure that the flash of the device has enough space to accommodate the CA certificate, local certificate, or CRL.

Keyword esc supports the entering of URLs that include the question mark (?) in the ASCII code, and 3f is the hexadecimal ASCII code for the question mark (?). Therefore, the entered URL must be in \x3f format. For example, the URL that an administrator needs to enter is http://www.example.com\x3fpage1, instead of http://www.example.com?page1. If the administrator wants to configure http://www.example.com?page1\x3f that includes both a question mark (?) and \x3f, the administrator should add an escape character (\) to \x3f and enter http://www.example.com\x3fpage1\\x3f.

Example

# Configure a device to use HTTP to download a local certificate.

<HUAWEI> system-view
[HUAWEI] pki http http://10.1.1.1/test.cer local.cer

# Configure a device to use HTTP to download a local certificate.

<HUAWEI> system-view
[HUAWEI] pki http esc http://www.abc.com\x3fpage1\\x3f local.cer

pki import-certificate

Function

The pki import-certificate command imports a certificate to the device memory.

Format

pki import-certificate { ca | local } realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ]

pki import-certificate { ca | local } realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ]

pki import-certificate ocsp realm realm-name pkcs12 filename filename password password

NOTE:

Only devices in cloud management mode support the ocsp parameter.

Parameters

Parameter

Description

Value

ca

Imports a CA certificate.

For example, when the device works as an SSL proxy, import the SSL proxy CA certificate and use the private key in the certificate to sign the SSL client certificate again.

-

local

Imports a local certificate.

-

realm realm-name

Specifies the PKI realm name of the imported certificate.

The PKI realm name must already exist.

NOTE:

The domain name cannot contain spaces. Otherwise, the certificate cannot be imported.

der

Imports a certificate in DER format.

-

pkcs12

Imports a certificate in PKCS12 format.

-

pem

Imports a certificate in PEM format.

-

filename filename Specifies the name of the imported certificate. The file name must already exist.
replace

Deletes the original certificate and RSA key pair and imports the new certificate when there are repeated certificates in the domain.

NOTE:

If the RSA key pair of the original certificate is not referenced by other domains, the certificate and key pair are deleted. If the RSA key pair of the original certificate is referenced by other domains, only the original certificate is deleted but the key pair is not deleted.

-

no-check-validate

Specifies whether the validity check is performed on the imported certificate.

-

no-check-hash-alg

Specifies whether a check is performed on the hash algorithm used for the signature of the imported certificate.

-

ocsp

Imports the Online Certificate Status Protocol (OCSP) server's certificate.

-

password password Specifies the decryption password of the certificate, and the password is the same as the password set by the pki export-certificate command. The value must be the name of an existing decryption password of the certificate.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a certificate is saved to the storage, run this command to import the certificate to the memory for it to take effect.

The device supports the following certificate import modes:
  • terminal: Import or copy the certificate file of the peer to the local device. That is, you can open the PEM certificate file using a text tool and copy the certificate content to the local device.
  • file: The filename parameter is specified to import the certificate file of the peer.

Multiple certificates can be imported on the device, including the CA certificate, local certificate, and private key.

NOTE:

If you do not know the format of the certificate you want to import, configure each format in turn and check whether the certificate is successfully imported.

Prerequisites

The PKI realm has been created using the pki realm (system view) command, and the certificate file already exists on the storage device.

Precautions

If a certificate file contains a key pair file, the pki import-certificate command imports only the certificate file, but not the key pair file. To import the key pair file, run the pki import rsa-key-pair command after the pki import-certificate command, or run the pki import rsa-key-pair command to import the certificate and key pair files simultaneously.

When a certificate in pkcs12 format is imported, the PKI system deletes the file name extension of the original certificate file, adds _localx.cer to generate a new file name, and saves it to the storage component. Therefore, the name of the certificate file to be imported should be less than 50 characters, so the total certificate file name does not exceed 64 characters, and the certificate file cannot be imported to the storage component.

The device supports importing digital certificates generated through RSA encryption algorithms.

Example

# Import a local certificate to PKI realm abc in file transfer mode.
<HUAWEI> system-view
[HUAWEI] pki realm abc 
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki import-certificate local realm abc pem filename local.cer
 Info: Succeeded in importing the certificate.

pki import-certificate built-in-ca

Function

The pki import-certificate built-in-ca command imports the SSL decryption certificate to the memory.

Format

pki import-certificate built-in-ca filename file-name

Parameters

Parameter Description Value
filename file-name Specifies the file name of the SSL decryption certificate. The value must be the name of an existing SSL decryption certificate.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Import the SSL decryption certificate to the memory to use it; otherwise, the certificate will not take effect.

When importing the SSL decryption certificate, make sure that the matching RSA key pair in the SSL decryption certificate exists on the device. The mapping relationship is created when the SSL decryption certificate is created. Search for the RSA key pair that corresponds to the SSL decryption certificate using the pki built-in-ca match-rsa-key command.

Prerequisites

The SSL decryption certificate file already exists on the storage device, and is generated using the pki generate built-in-ca certificate command.

Example

Import the SSL decryption certificate key1_builtinca.cer to the memory.

<HUAWEI> system-view
[HUAWEI] pki generate built-in-ca certificate rsa-key-pair key1 entity entity1
 Please enter the file name for built in CA certificate <length 1-64> : key1_builtinca.cer
 Info: Generate built in CA certificate successfully.
[HUAWEI] pki import-certificate built-in-ca filename key1_builtinca.cer

pki import-certificate peer

Function

The pki import-certificate peer command imports a certificate of the remote device to the device memory.

Format

pki import-certificate peer peer-name { der | pem | pkcs12 } filename [ filename ]

pki import-certificate peer peer-name pkcs12 filename filename password password

Parameters

Parameter

Description

Value

peer-name

Specifies the name of peer certificate.

A certificate cannot be imported to multiple peers.

The value is a string of 1 to 32 case-insensitive characters without spaces. If the character string is quoted by double quotation marks, it can contain spaces.

der

Imports a certificate of the remote device in DER format.

-

pem

Imports a certificate of the remote device in PEM format.

-

pkcs12

Imports a certificate of the remote device in P12 format.

-

filename filename

Imports a certificate of the remote device in file mode.

The value is an existing name of certificate of the remote device.

password password Specifies the decryption password of the certificate, and the password is the same as the password set by the pki export-certificate command. The value must be the name of an existing decryption password of the certificate.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Where digital envelop authentication is used, configure the public key of the remote device. The public key can be obtained from the public and private key management module or certificate of the remote device.

Prerequisites

The certificate file of the remote device must already exist on the storage device.

Precautions

When a certificate in pkcs12 format is imported, the PKI system deletes the file name extension of the original certificate file, adds _localx.cer to generate a new file name, and saves it to the storage component. Therefore, the name of the certificate file to be imported cannot exceed 50 characters. Otherwise, the total certificate file name will exceed 64 characters, and the certificate file cannot be imported to the storage component.

You can import a peer certificate generated using the RSA encryption algorithm to the device.

Example

# Import the certificate aa.pem of the remote device in the file mode.

<HUAWEI> system-view
[HUAWEI] pki import-certificate peer abcd pem file aa.pem
 Info: Succeeded in importing the peer certificate.

pki import-crl

Function

The pki import-crl command imports the CRL to the memory.

Format

pki import-crl realm realm-name filename file-name

Parameters

Parameter Description Value
realm realm-name Specifies the PKI realm name of the imported certificate. The value must be an existing PKI realm name.
filename file-name Specifies the name of an imported certificate file. Only the PEM and DER formats are supported. The value must be an existing certificate file name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To enable the CRL that is obtained in out-of-band mode or is updated manually, run this command to import the CRL to the memory.

Prerequisites

A PKI realm has been created using the pki realm (system view) command and the CRL file has been downloaded using HTTP.

Example

Import the CRL in the PKI realm to the memory.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki http esc http://www.abc.com\x3fpage1\\x3f abc.crl
[HUAWEI] pki import-crl realm abc filename abc.crl

pki import built-in-ca rsa-key-pair

Function

The pki import built-in-ca rsa-key-pair command imports an RSA key pair in the SSL decryption certificate to the device memory.

Format

pki import built-in-ca rsa-key-pair key-name { pem | pkcs12 } file-name [ exportable ] password password

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair on the device.

The value is a string of 1 to 64 characters and case-sensitive without spaces or question marks (?). If the character string is quoted by double quotation marks (" "), the character string can contain spaces.

pem file-name Specifies the format of the imported RSA key pair as PEM, and specifies the name of the RSA key pair file. The value must be an existing certificate file name.
pkcs12 file-name Specifies the format of the imported RSA key pair as PKCS12, and specifies the name of the RSA key pair file. The value must be an existing certificate file name.
exportable Specifies the imported RSA key pair as exportable. -
password password Specifies the decryption password of the RSA key pair, and the password is the same as the password set by the pki export built-in-ca rsa-key-pair command. The value must be the name of an existing decryption password of the RSA key pair.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When using the DSA key pair generated by other entities, store the RSA key pair on the flash of the local device. To make the RSA key pair take effect, run this command to import it to the memory.

Prerequisites

The RSA key pair must already exist on the storage device.

Example

# Import RSA key pair aaa.pem. In the system, the RSA key pair name is key-1 and password Test!123, and can be marked exportable.

<HUAWEI> system-view
[HUAWEI] pki import built-in-ca rsa-key-pair key-1 pem aaa.pem exportable password Test!123
 Info: Succeeded in importing the RSA key pair in PEM format.

pki import rsa-key-pair

Function

The pki import rsa-key-pair command imports the RSA key pair to the device memory.

Format

pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ exportable ] [ password password ]

pki import rsa-key-pair key-name der file-name [ exportable ]

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair on the device.

The value is a string of 1 to 64 characters and case-sensitive without spaces or question marks (?). If the character string is quoted by double quotation marks (" "), the character string can contain spaces.

pem file-name Indicates that the RSA key pair to be imported is in the PEM format and specifies the file name to store the RSA key pair. The value must be an existing certificate file name that stores the RSA key pair and the certificate.
pkcs12 file-name Indicates that the RSA key pair to be imported is in the PKCS12 format and specifies the file name to store the RSA key pair. The value must be an existing certificate file name that stores the RSA key pair and the certificate.
der file-name Indicates that the RSA key pair to be imported is in the DER format and specifies the file name to store the RSA key pair. The value must be an existing certificate file name that stores the RSA key pair and the certificate.
exportable Indicates that the imported RSA key pair can be exported. -
password password Specifies the decryption password of the RSA key pair. , and the password is the same as the password set by the pki export rsa-key-pair command The value must be the name of an existing decryption password of the RSA key pair.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Run this command to use the RSA key pair generated by other entities. After the configuration, the imported RSA key pair can be referenced by the PKI module for operations such as signing.

NOTE:

Windows Server 2003 has a low processing performance. For the device to connect to a Windows Server 2003, the device cannot have too many entities configured or use a large-sized key pair.

If you do not know the format of the key pair you want to import, configure each format in turn and check whether the key pair is successfully imported.

Prerequisites

The RSA key pair must already exist on the storage device.

Example

# Import RSA key pair aaa.pem. In the system, the RSA key pair name is key-1, and the password is Test!123456. The RSA key pair name can be marked exportable.

<HUAWEI> system-view
[HUAWEI] pki import rsa-key-pair key-1 pem aaa.pem exportable password Test!123456
 Info: Succeeded in importing the RSA key pair in PEM format.

pki match-rsa-key

Function

The pki match-rsa-key command configures a device to search for the RSA key pair associated with a specific certificate.

Format

pki match-rsa-key certificate-filename file-name

Parameters

Parameter Description Value
certificate-filename file-name Specifies the name of a certificate file. The value must be an existing certificate file name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Run this command to check the RSA key pair corresponding to a certificate. After configuration, the system searches for all the local RSA key pairs, compares them with the specified certificate and outputs the matched RSA key pair name once it is searched out.

Example

# Configure a device to search for the RSA key pair that matches certificate file local.cer.

<HUAWEI> system-view
[HUAWEI] pki match-rsa-key certificate-filename local.cer
 Info: The file local.cer contains certificates 1. 
 Info: Certificate 1 from file local.cer matches RSA key rsa2.key. 

pki ocsp response cache enable

Function

The pki ocsp response cache enable command enables a device to cache OCSP responses.

The undo pki ocsp response cache enable command disables a device from caching OCSP responses.

By default, the PKI OCSP response cache function is disabled.

NOTE:

Only devices in cloud management mode support this command.

Format

pki ocsp response cache enable

undo pki ocsp response cache enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

After you enable a PKI entity to cache OCSP responses, the PKI entity first searches its cache for the certificate revocation status. If the search fails, the PKI entity sends a request to the OCSP server. In addition, the device caches valid OCSP responses for subsequent query. The OCSP responses have a validity period. With OCSP response cache enabled, a PKI entity refreshes the cached OCSP responses every minute to clear expired OCSP responses.

Example

# Enable the PKI OCSP response cache function.

<HUAWEI> system-view
[HUAWEI] pki ocsp response cache enable

pki ocsp response cache number

Function

The pki ocsp response cache number command sets the maximum number of OCSP responses that can be cached on a PKI entity.

The undo pki ocsp response cache number command restores the maximum number of OCSP responses that can be cached on a PKI entity to the default value.

By default, the maximum number of OCSP responses that can be cached on a PKI entity is 2.

NOTE:

Only devices in cloud management mode support this command.

Format

pki ocsp response cache number number

undo pki ocsp response cache number

Parameters

Parameter Description Value
number Specifies the maximum number of OCSP responses that can be cached on a PKI entity.

The value is an integer that ranges from 1 to 1000.

Views

System view

Default Level

3: Management level

Usage Guidelines

A PKI entity caches valid OCSP responses for subsequent query. If the number of cached OCSP responses reaches the value specified by number, the PKI entity stops caching OCSP responses.

Example

# Set the maximum number of OCSP responses that can be cached on a PKI entity to 3.
<HUAWEI> system-view
[HUAWEI] pki ocsp response cache number 3

pki ocsp response cache refresh interval

Function

The pki ocsp response cache refresh interval command sets the interval at which the OCSP response cache is refreshed.

The undo pki ocsp response cache refresh interval command restores the interval at which a PKI entity refreshes the OCSP response cache to the default value.

By default, the interval at which a PKI entity refreshes the OCSP response cache is 5 minutes.

NOTE:

Only devices in cloud management mode support this command.

Format

pki ocsp response cache refresh interval interval

undo pki ocsp response cache refresh interval

Parameters

Parameter Description Value
interval Specifies the interval at which the OCSP response cache is refreshed. The value is an integer that ranges from 1 to 1440, in minutes. The default value is 5.

Views

System view

Default Level

3: Management level

Usage Guidelines

A PKI entity refreshes the OCSP response cache periodically and deletes the OCSP responses that have expired based on the interval value.

Example

# Set the interval at which the OCSP response cache is refreshed to 30 minutes.

<HUAWEI> system-view
[HUAWEI] pki ocsp response cache refresh interval 30

pki realm (system view)

Function

The pki realm command creates a PKI realm and displays the PKI realm view, or displays the view of an existing PKI realm.

The undo pki realm command deletes a PKI realm.

By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

Format

pki realm realm-name

undo pki realm realm-name

Parameters

Parameter

Description

Value

realm-name

Specifies the name of a PKI realm.

The value is a string of 1 to 64 case-insensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A PKI realm is a set of identity information required when a PKI entity enrolls a certificate.

Precautions

A PKI realm configured on a device is unavailable to certificate authorities (CAs) or other devices.

When a certificate is requested using a PKI realm, the system names the certificate file PKI realm name_local.cer. Therefore, if you will use a created PKI realm to request certificates, ensure that the PKI realm name length is shorter than 50 characters, because a certificate file with a name longer than 64 characters cannot be saved on a storage device.

Example

# Create a PKI realm abc.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] 
Related Topics

pki release-certificate peer

Function

The pki release-certificate peer command releases a certificate of the remote device.

Format

pki release-certificate peer { name peer-name | all }

Parameters

Parameter

Description

Value

name peer-name

Specifies the name of peer certificate to be released.

The value must be an existing peer certificate file name.

all

Releases all certificates of the remote device.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the specified certificate of the remote device is not required, run the pki release-certificate peer command to release the certificate of the remote device.

Before using this command, run the display pki peer-certificate command to view the certificate information of the remote device.

Prerequisites

The pki import-certificate peer command has been used to import the certificate of the remote device.

Example

# Release the certificate huawei of the remote device.

<HUAWEI> system-view
[HUAWEI] pki release-certificate peer name huawei
 Info: Succeeded in releasing the peer certificate. 

pki rsa built-in-ca

Function

The pki rsa built-in-ca command creates, overwrites, or destroys the RSA key pair in an SSL decryption certificate.

Format

pki rsa built-in-ca key-name { create [ exportable ] | destroy }

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair in an SSL decryption certificate. The value is a string of 1 to 64 case-sensitive characters without question marks and spaces. If the character string is quoted by double quotation marks, it can contain spaces and question marks.
create Specifies the created RSA key pair of the SSL decryption certificate. -
exportable Specifies the created RSA key pair as exportable. -
destroy Specifies the destroyed RSA key pair of the SSL decryption certificate. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When the device uses the SSL decryption certificate to perform the proxy function for the SSL connection, the certificate must contain a public key. Run this command to create the RSA key pair of the SSL decryption certificate.

If the RSA key pair is referenced by the certificate and has been imported to the memory, you cannot overwrite or destroy the pair directly. To overwrite or destroy the RSA key pair, you can run the pki delete-certificate built-in-ca command to delete the SSL decryption certificate from the memory first.

When creating or overwriting the RSA key pair, you must enter the number of bits of the RSA key pair. The default value is 2048.

Precautions

The name of an RSA key pair cannot exceed 50 characters. Because when an RSA key pair is imported, if the certificate is imported at the same time, the PKI system adds _builtinca.cer after the name of the RSA key pair to generate a new certificate file name, and saves it to the storage component. If the name exceeds 50 characters, the total number of characters exceeds 64, and the certificate file cannot be saved to the storage component.

When creating the key pair, the system prompts the user to enter the number of bits of the RSA key pair. The longer the key pair, the harder it is to crack, and the more secure but slow the encryption algorithm. It is recommended that the number of bits of the RSA key pair exceed 2048; otherwise, it has security risks.

Example

# Create an RSA key pair rsakey.

<HUAWEI> system-view
[HUAWEI] pki rsa built-in-ca rsakey create
 Info: The name of the new key-pair will be: rsakey
 The size of the public key ranges from  to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
........++++++
........++++++

pki rsa local-key-pair create

Function

The pki rsa local-key-pair create command creates the specified RSA key pair.

Format

pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair to be created.

The value is a string of 1 to 64 case-sensitive characters without question marks (?) and spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

modulus modulus-size Specifies the size of the RSK key pair.

The value is an integer that ranges from 2048 to 4096. The default value is 2048.

exportable Indicates that the new RSA key pair can be exported from the device. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a PKI entity requests a certificate from the CA, the certificate enrollment request that it sends contains information such as the public key. Run this command to create the RSA key pair for the certificate request.

NOTE:

Windows Server 2003 has a low processing performance. For the device to connect to a Windows Server 2003, the device cannot have too many entities configured or use a large-sized key pair.

Precautions

When creating the key pair, the system prompts the user to enter the number of bits of the RSA key pair. The longer the key pair, the harder it is to crack, and the more secure but slow the encryption algorithm. It is recommended that the number of bits of the RSA key pair exceed 2048; otherwise, it has security risks.

The name of an RSA key pair cannot exceed 50 characters. Because when an RSA key pair is imported, if the certificate is imported at the same time, the PKI system adds _localx.cer after the name of the RSA key pair to generate a new certificate file name, and saves it to the storage component. If the name exceeds 50 characters, the total number of characters exceeds 64, and the certificate file cannot be saved to the storage component.

The RSA key pair referenced by PKI realms cannot be overwritten. They can be overwritten only after the reference relationship is removed.

If the name of the new RSA key pair is the same as that of a pair on the device, the system prompts the user to decide whether to overwrite the existing pair.

Example

# Create 2048-bit RSA key pair test.

<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
 Info: The name of the new key-pair will be: test                               
 The size of the public key ranges from 2048 to 4096.                                   
 Input the bits in the modules:2048                              
 Generating key-pairs...                                                             
......+++                                                              
.......+++

pki rsa local-key-pair destroy

Function

The pki rsa local-key-pair destroy command deletes the specified RSA key pair.

Format

pki rsa local-key-pair destroy key-name

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair to be deleted. The value must be the name of an existing key pair.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

It is recommended that you run this command to destroy the specified RSA key pair if it is leaked, damaged, unused, or lost.

After this command is executed, the specified RSA key pair is deleted from the active device and the standby device.

Prerequisites

The RSA key pair has been created using the pki rsa local-key-pair create command or the RSA key pair has been imported to the memory using the pki import rsa-key-pair command.

Precautions

The RSA key pair in the creation process cannot be deleted.

The RSA key pair referenced by a PKI realm cannot be deleted. They can be deleted only after the reference relationship is removed.

Example

# Delete the RSA key pair test.

<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
 Info: The name of the new key-pair will be: test
 The size of the public key ranges from 512 to 4096.
 Input the bits in the modules:2048
 Generating key-pairs...
.....+++
..........................+++ 
[HUAWEI] pki rsa local-key-pair destroy test
 Warning: The name of the key pair to be deleted is test.                   
 Are you sure you want to delete the key pair? [y/n]:y                          
 Info: Delete RSA key pair success. 

pki set-certificate expire-prewarning

Function

The pki set-certificate expire-prewarning command sets the expiration warning date for the local certificate and the CA certificate in the memory.

The undo pki set-certificate expire-prewarning command restores the expiration warning date for the local certificate and the CA certificate in the memory to the default value.

By default, the expiration warning date for the local certificate and the CA certificate in the memory is seven days.

Format

pki set-certificate expire-prewarning day

undo pki set-certificate expire-prewarning

Parameters

Parameter Description Value
day Specifies the expiration warning date. The value is an integer that ranges from 7 to 180. By default, the value is 7.

Views

System view

Default Level

3: Management level

Usage Guidelines

After this command is executed, you will be prompted the expiration of a certificate in advance. If the system detects that a certificate in the memory is to expire in less than day, the device sends an expiration warning to the user.

Example

Set the expiration warning date for the local certificate and the CA certificate in the memory as 30 days.

<HUAWEI> system-view
[HUAWEI] pki set-certificate expire-prewarning 30

pki validate-certificate

Function

The pki validate-certificate command allows you to verify the validity of a CA certificate or a local certificate.

Format

pki validate-certificate { ca | local } realm realm-name

Parameters

Parameter Description Value
ca Checks validity of the CA certificate. -
local Checks validity of the local certificate. -
realm realm-name

Specifies the PKI realm name of a certificate to be checked.

The value must be an existing PKI realm name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate has expired and whether the certificate is in a CRL.

To verify the validity of a CA certificate or a local certificate, run the pki validate-certificate command.

Prerequisites

A PKI realm has been configured using the pki realm (system view) command.

Precautions

The pki validate-certificate ca command allows you to verify only the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate certificates.

Example

# Configure the device to check validity of the local certificate using CRL.

<HUAWEI> system-view
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] certificate-check crl
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki validate-certificate local realm abc

reset pki ocsp response cache

Function

The reset pki ocsp response cache command resets an OCSP response cache.

NOTE:

Only devices in cloud management mode support this command.

Format

reset pki ocsp response cache

Parameters

None

Views

User view

Default Level

3: Management level

Usage Guidelines

The PKI entity caches valid OCSP responses for future searches. If the number of cached OCSP responses reaches the maximum value, no more OCSP responses can be cached. To ensure that the latest OCSP responses can be cached, you can run this command to clear the OCSP response cache first.

Example

# Reset an OCSP response cache.

<HUAWEI> reset pki ocsp response cache

reset pki ocsp server down-information

Function

The reset pki ocsp server down-information command clears the DOWN status information of the OCSP server recorded on the device.

NOTE:

Only devices in cloud management mode support this command.

Format

reset pki ocsp server down-information [ url [ esc ] url-addr ]

Parameters

Parameter Description Value
url [ esc ] url-addr

Specifies the OCSP server's URL address. If no URL address is specified, clear the DOWN status information on all OCSP servers.

If the esc parameter is specified, the URL address in ASCII format is supported.

The value is a string starting with http:// and consisting of 1 to 128 case-sensitive characters without spaces.

Views

User view

Default Level

3: Management level

Usage Guidelines

There is a mechanism to determine whether the OCSP server is down. When the OCSP server corresponding to a URL cannot be accessed, the server status is set to DOWN. In this case, the device will not send OCSP requests to the URL for 10 minutes.

However, this mechanism may falsely set the state of a transiently disconnected server to DOWN. Using this command, the user can manually clear the falsely reported DOWN state of the OCSP server so that the device can send OCSP requests to the server.

The keyword esc supports the entering of URLs that include the question mark (?) in the ASCII code. The URL must be in \x3f format, and 3f is the hexadecimal ASCII code for the question mark (?). For example, if a user wants to enter http://abc.com?page1, the URL is http://abc.com\x3fpage1. If a user wants to enter http://www.abc.com?page1\x3f that includes both a question mark (?) and \x3f, the URL is http://www.abc.com\x3fpage1\\x3f.

Example

# Clear the OCSP server DOWN information of the specified URL.

<HUAWEI> reset pki ocsp server down-information

rsa local-key-pair

Function

The rsa local-key-pair command configures the RSA key pair used to request a certificate using the SCEP or in an offline mode.

The undo rsa local-key-pair command deletes the RSA key pair used to request a certificate using the SCEP or in an offline mode.

By default, the system does not configure the RSA key pair used to request a certificate using the SCEP or in an offline mode.

Format

rsa local-key-pair key-name

undo rsa local-key-pair

Parameters

Parameter Description Value
key-name Specifies the name of the RSA key pair. The value must be an existing RSA key pair name.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The PKI entity that requests a certificate from the CA using the SCEP or in offline PKCS#10 mode must contain a public key. Run this command to configure the RSA key pair.

Prerequisites

The RSA key pair for certificate application has been created using the pki rsa local-key-pair create command or the RSA key pair has been imported to the memory using the pki import rsa-key-pair command.

Precautions

An RSA key pair can be specified to only one PKI.

Example

# Configure the RSA key pair that is referenced by the PKI realm test.

<HUAWEI> system-view
[HUAWEI] pki rsa local-key-pair create test
 Info: The name of the new key-pair will be: test                                
 The size of the public key ranges from 512 to 4096.                            
 Input the bits in the modules:2048                                             
 Generating key-pairs...                                                        
.........................+++                                                    
................................................................................
........+++  
[HUAWEI] pki realm test
[HUAWEI-pki-realm-test] rsa local-key-pair test

serial-number

Function

The serial-number command adds the serial number of a device to the PKI entity.

The undo serial-number command restores the default setting.

By default, the serial number of a device is not added to the PKI entity.

Format

serial-number

undo serial-number

Parameters

None

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity include the identity information of the PKI entity. The CA identifies a certificate applicant based on identity information provided by a PKI entity. To further identify the applicant, add the serial number of the device to the PKI entity.

After the serial number of the device is added to a PKI entity, the certificate request packet sent by the device to the CA server carries this serial number. After receiving the certificate request packet, the CA server verifies the packet. For each valid packet, the CA server generates a digital certificate carrying the device serial number.

Example

# Add the serial number of the device to a PKI entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] serial-number
Related Topics

source interface

Function

The source interface command configures the source interface used in TCP connection setup.

The undo source interface command restores the default source interface used in TCP connection setup.

By default, the device uses the outbound interface as the source interface for TCP connection setup.

Format

source interface interface-type interface-number

undo source interface

Parameters

Parameter Description Value
interface-type interface-number
Specifies an interface's IP address as the source IP address used in TCP connection setup.
  • interface-type indicates the type of the interface.
  • interface-number indicates the number of the interface.
-

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The source interface command specifies the source interface for establishing a connection between the device and the Simple Certificate Enrollment Protocol (SCEP) or Online Certificate Status Protocol (OCSP) server. This interface IP address is the source IP address of the TCP connection.

In the multi-output scenario, if the interfaces for sending and receiving a TCP packet are different, the IP address in the received TCP packet is different from the IP address of the receiving interface. Then the TCP packet is dropped, and the TCP connection is torn down. In this situation, you can run this command to specify the loopback interface address.

Precautions

Ensure that the interface is at Layer 3 and has an IP address configured.

Example

# Configure the source interface used in TCP connection setup to VLANIF 100.
<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] ip address 10.136.2.25 24
[HUAWEI-Vlanif100] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] source interface vlanif 100

state (PKI entity view)

Function

The state command configures a state or province name for an entity.

The undo state command deletes the configuration.

By default, no state or province name is configured for a PKI entity.

Format

state state-name

undo state

Parameters

Parameter Description Value
state-name Specifies the state or province name of an entity. The value is a string of 1 to 32 case-sensitive characters, including letters, numerals, apostrophes ('), equal signs (=), parentheses (), plus signs (+), commas (,), minus signs (-), periods (.), slashes (/), colons (:), and spaces.

Views

PKI entity view

Default Level

2: Configuration level

Usage Guidelines

The parameters of a PKI entity contain the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. To facilitate applicant identification, configure a state or province name for a PKI entity.

After the state or province name is configured for a PKI entity, the certificate request packet sent by the device to the CA server contains this province name. The CA server verifies every received certificate request packet. For each valid packet, the CA server generates a digital certificate carrying the state or provision name of the PKI entity.

Example

# Configure the province name to Jiangsu for a PKI entity.

<HUAWEI> system-view
[HUAWEI] pki entity entity1
[HUAWEI-pki-entity-entity1] state Jiangsu
Related Topics

vpn-instance

Function

The vpn-instance command adds a PKI to a specified VPN.

The undo vpn-instance command unbinds a PKI from a specified VPN.

By default, a PKI does not belong to any VPN.

Format

vpn-instance vpn-instance-name

undo vpn-instance vpn-instance-name

Parameters

Parameter

Description

Value

vpn-instance-name

Specifies the name of a VPN instance.

The value must be an existing VPN instance name.

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To obtain and verify certificates, the device needs to communicate with the CA or SCEP server. When the CA or SECP server is in a VPN, add the PKI to the specified VPN.

Prerequisites

  1. A VPN instance has been created using the ip vpn-instance command.

  2. The RD has been configured using the route-distinguisher command.

Example

# Add the PKI to the VPN named vrf1.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vrf1
[HUAWEI-vpn-instance-vrf1] route-distinguisher 22:1
[HUAWEI-vpn-instance-vrf1-af-ipv4] quit
[HUAWEI-vpn-instance-vrf1] quit
[HUAWEI] pki realm abc
[HUAWEI-pki-realm-abc] vpn-instance vrf1
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42954

Downloads: 1107

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next