No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying for the Local Certificate in Offline Mode

Applying for the Local Certificate in Offline Mode

Context

If the CA server does not support SCEP, configure the device to apply for the local certificate in offline mode. Users generate a certificate request file on the device and then send the file to the CA in an outbound way (web, disk, or email) to apply for the local certificate. After applying for the certificate, users still need to download the certificate from the server where the certificate is stored and save it to the device storage.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  3. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  4. Run rsa local-key-pair key-name

    The RSA key pair used in offline mode certificate application is configured.

    By default, the RSA key pair used in offline mode certificate application is not configured.

  5. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    Other algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  6. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  7. Run quit

    Return to the system view.

  8. Run pki file-format { der | pem }

    The file format in which the device stores the certificate and certificate request is configured.

    By default, the device stores the certificate and certificate request into a PEM file.

  9. Run pki enroll-certificate realm realm-name pkcs10 [ filename filename ] [ password password ]

    The device is configured to save certificate application information into a file in PKCS#10 format.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  10. Enable the device to send the CA the certificate request file in an outbound way (web, disk, or email) to apply for the local certificate.
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136758

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next