No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a PKI Entity to Obtain a CA Certificate

Configuring a PKI Entity to Obtain a CA Certificate

Context

When applying for a local certificate, the PKI entity sends the certificate enrollment request to the CA. To improve transmission security, the PKI entity must use the CA's public key to encrypt the certificate enrollment message. Therefore, the PKI entity must have the CA's certificate and obtain the public key from the CA certificate.

NOTE:

The CA and local certificates have been set in the default domain when a device is delivered. To view the CA certificate information, run the display pki certificate ca realm default command.

Configuration Procedure

A PKI entity must download and then install a CA certificate.

Downloading a CA Certificate for a PKI Entity

Context

Several methods are available to download a CA certificate, depending on the service types provided by the CA:

  • Download the CA certificate from the CA server through SCEP into the device storage.

  • Download the CA certificate from the web server to the device storage through HTTP.

  • Obtain the CA certificate in an outbound way (web, disk, or email) and then upload it to the device storage.

Procedure

  • Download a CA certificate through SCEP.

    For the configuration about downloading CA certificate through SCEP, see Applying for and Updating the Local Certificate Through SCEP.

  • Download a CA certificate through the Hypertext Transfer Protocol (HTTP).
    1. Run system-view

      The system view is displayed.

    2. Run pki http [ esc ] url-address save-name

      A CA certificate is downloaded through HTTP.

      url-address must include a complete certificate file name and file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  • Download a CA certificate in an outbound way.

    After you obtain a CA certificate in an outbound way (web, disk, or email), manually upload it to the device storage. You can also download a CA certificate through the administrator's PC and then upload it to the device storage through FTP or SFTP, or web system.

(Optional) Installing a CA Certificate for a PKI Entity

Context

A downloaded CA certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

NOTE:

To prevent a failure to install the CA certificate, ensure that the CA certificate file size does not exceed 1 MB.

When the SCEP is used, the device automatically installs the CA certificate, and you do not need to manually install the CA certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate ca realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ]

    Or run pki import-certificate ca realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

    The CA certificate is imported into the device memory.

  3. (Optional) Run pki set-certificate expire-prewarning day

    The expiry prewarning time of the CA certificate in the device memory is configured.

    The default expiry prewarning time of the CA certificate in the device memory is 7 days.

Follow-up Procedure
  • To copy a CA certificate to another device, run the pki export-certificate ca realm realm-name { pem | pkcs12 } [ filename filename ] command. Subsequently, the CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • If a CA certificate expires or is not in use, run the pki delete-certificate ca realm realm-name command to delete the CA certificate from the device memory.

Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 219526

Downloads: 712

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next