No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A Local Certificate Failed to Be Obtained

A Local Certificate Failed to Be Obtained

Fault Symptom

  • The administrator applies for a local certificate in offline mode. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • The PKI entity configuration is incorrect.

    • The challenge password is incorrect or not configured.

    • The configuration about downloading the local certificate using HTTP is incorrect.

  • The administrator applies for a local certificate using SCEP. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • No CA certificate exists in the PKI realm.

    • The PKI entity is incorrectly configured or not configured.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.

    • Digest method used for the signed certificate enrollment request is incorrect.

    • The challenge password is incorrect or not configured.

Procedure

  • Obtain a local certificate manually.
    1. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    2. Check whether the challenge password is correct.

      Confirm that the CA server requires a challenge password, and ensure that the challenge password configured on the device is the same as that of the CA server. To set the challenge password, run pki enroll-certificate.

    3. Check whether the configuration about downloading a CA certificate using HTTP is correct.

      If not, modify the configuration using the pki http command.

  • Obtain a local certificate using SCEP.
    1. Check whether the CA certificate has been imported to the device memory.

      To view the CA certificate in memory, run display pki certificate.

      If no CA certificate exists, obtain a CA certificate and run pki import-certificate to import the certificate to memory.

    2. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    3. Check whether the CA certificate application configuration is correct in the PKI realm.

      Run the display pki realm command in any view or the display this command in the PKI realm view.

      The following is a sample of local certificate application configuration:
      pki realm test                                                                   
       ca id ca_server   //Specify the CA trusted by the PKI realm.
       enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll   //Configure the URL for the certificate enrollment server.
       entity zzz   //Specify the PKI entity.
       rsa local-key-pair 8   //Specify the RSA key pair.
       password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#   //Configure the challenge password for SCEP certificate application, which is the same as that on the CA server.
       source interface GigabitEthernet0/0/1   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.
       enrollment-request signature message-digest-method sha1   //Configure the digest algorithm used by the signed certificate enrollment request, which is the same as that on the CA server.
      

      Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through SCEP.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 233051

Downloads: 750

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next