No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A CA Certificate Failed to Be Obtained

A CA Certificate Failed to Be Obtained

Fault Symptom

  • The network administrator has manually applied for a CA certificate; however, the CA certificate does not exist in the device storage. The reason is that the configuration about downloading CA certificates using HTTP or LDAP is incorrect.

  • The administrator applies for a CA certificate using SCEP. However, the CA certificate does not exist in the device storage. The possible causes are as follows:

    • The command for obtaining the CA certificate is not executed.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The PKI entity is not configured.

    • The fingerprint is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.

Procedure

  • Obtain a CA certificate manually.

    Check whether the configuration about downloading a CA certificate using HTTP or LDAP is correct. If not, modify the configuration using the pki http or pki ldap command.

  • Obtain a CA certificate using SCEP.
    1. Check whether the pki get-certificate command has been executed in the system view.

      If not, run the pki get-certificate command. You will be promoted if the configuration about CA certificate application is incorrect.

    2. Check whether the CA certificate application configuration is correct in the PKI realm.

      Run the display pki realm command in any view or the command in the PKI realm view.

      The following is a sample of CA certificate application configuration:
      pki realm test                                                                   
       ca id ca_server   //Specify the CA trusted by the PKI realm.
       enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll   //Configure the URL for the certificate enrollment server.
       entity zzz   //Specify the PKI entity.
       fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf   //Configure the fingerprint for CA certificate verification. The fingerprint is obtained from the CA server.
       rsa local-key-pair 8   //Specify the RSA key pair.
       source interface Ethernet0/0/2   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.
      

      Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through SCEP.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 128233

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next