No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A CA Certificate Failed to Be Obtained

A CA Certificate Failed to Be Obtained

Fault Symptom

  • The network administrator has manually applied for a CA certificate; however, the CA certificate does not exist in the device storage. The reason is that the configuration about downloading CA certificates using HTTP is incorrect.

  • The administrator applies for a CA certificate using SCEP. However, the CA certificate does not exist in the device storage. The possible causes are as follows:

    • The command for obtaining the CA certificate is not executed.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The PKI entity is not configured.

    • The fingerprint is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.


  • Obtain a CA certificate manually.

    Check whether the configuration about downloading a CA certificate using HTTP is correct. If not, modify the configuration using the pki http command.

  • Obtain a CA certificate using SCEP.
    1. Check whether the pki get-certificate command has been executed in the system view.

      If not, run the pki get-certificate command. You will be promoted if the configuration about CA certificate application is incorrect.

    2. Check whether the CA certificate application configuration is correct in the PKI realm.

      Run the display pki realm command in any view or the display this command in the PKI realm view.

      The following is a sample of CA certificate application configuration:
      pki realm test                                                                   
       ca id ca_server   //Specify the CA trusted by the PKI realm.
       enrollment-url   //Configure the URL for the certificate enrollment server.
       entity zzz   //Specify the PKI entity.
       fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf   //Configure the fingerprint for CA certificate verification. The fingerprint is obtained from the CA server.
       rsa local-key-pair 8   //Specify the RSA key pair.
       source interface GigabitEthernet0/0/2   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.

      Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through SCEP.

Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231969

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next