No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Manually Import Certificates and an RSA Key Pair?

How Do I Manually Import Certificates and an RSA Key Pair?


Three certificate formats are supported: PKCS#12, DER, and PEM. For details, see Which Certificate Formats Are Supported?.

You can enable the device to generate a certificate request file (an RSA key pair has been generated on the device) and provide this file to a certificate authority (CA), which issues only a local certificate. You only need to import the CA and local certificates provided by the CA to the device memory, without having to import the RSA key pair.

Before manually replacing the CA and local certificates, ensure that the CA and local certificates are not being used by services and run the pki delete-certificate command to delete the certificates. The following example deletes the local certificate.
[Huawei] pki delete-certificate local realm abc

The following describes the procedure for manually importing certificates and an RAS key pair:

  1. Enable the device to send certificate request information to the CA in out-of-band mode (web, disk, or email) to apply for a local certificate.

  2. Download the CA certificate, local certificate, and RSA key pair file, and upload them to the device storage media using TFTP.

    Generally, certificates in DER or PEM format and key pairs are in different files, and certificates in PKCS#12 format and key pairs are in the same file.

  3. Import the CA certificate. If there are multiple CA certificates, import all CA certificates.

    For example, the obtained CA certificate file is named rootca.pem.

    <Huawei> system-view
    [Huawei] pki realm abc 
    [Huawei-pki-realm-abc] quit
    [Huawei] pki import-certificate ca realm abc pem filename rootca.pem

    After the CA certificate has been imported successfully, check CA certificate information.

    [Huawei] display pki certificate ca realm abc
  4. Import the local certificate.

    For example, the obtained local certificate file is named localcert.pem.

    [Huawei] pki import-certificate ca realm abc pem filename localcert.pem

    After the local certificate has been imported successfully, check local certificate information.

    [Huawei] display pki certificate local realm abc
  5. Import the RSA key pair. For the files in PEM or PKCS#12 format, the password for the RSA key pair provided by the CA is also required.

    For example, the obtained RSA key pair file is local_privatekey.pem, and the password is Huawei@123.

    [Huawei] pki import rsa-key-pair abc pem local_privatekey.pem password Huawei@123

    After the RSA key pair has been imported successfully, check RSA key pair information.

    [Huawei] display pki rsa local-key-pair name abc public
  6. Check whether the imported local certificate and RSA key pair match. If no matching key pair is found, check whether the imported file is correct.

    [Huawei] pki match-rsa-key certificate-filename localcert.pem
    Info: The file localcert.pem contains certificates 1.
    Info: Certificate 1 from file localcert.pem matches RSA key test.
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 125546

Downloads: 230

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next