No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Extended Functions

Configuring the Extended Functions

Configuring Certificate Obtaining


When the SCEP method is used, the PKI entity queries and obtains issued certificates on the CA server and stores the certificates to the local storage. The PKI entity can download their own certificates, CA certificates, or local certificates of other entities.

After obtaining a CA certificate, the device automatically imports the certificate to the device memory. After the device obtains a local certificate, you need to import it to the memory manually.

The purposes of obtaining a certificate are as follows:
  • Stores certificates to the device storage to improve certificate query efficiency and reduce the times of querying the PKI certificate repository.
  • Prepares for certificate authentication.


  1. Run system-view

    The system view is displayed.

  2. Run pki get-certificate { ca | local } realm realm-name

    The certificate is saved to the storage.

    If the same certificate exists on the device, delete the existing one; otherwise, the certificate cannot be obtained.

Importing and Releasing a Peer Certificate


In the digital envelope authentication mode, the device as the data sender must have the receiptant's public key configured. Importing a peer certificate is a method to obtain the public key of a peer entity. This method connects the user identity information to the public key. It has high security and is applicable to large networks.

If the imported peer certificate is not used, release the certificate.


  • Import the peer certificate
    1. Run system-view

      The system view is displayed.

    2. Run pki import-certificate peer peer-name { { der | pem | pkcs12 } filename [ filename ] | pem terminal } or pki import-certificate peer peer-name pkcs12 filename filename password password

      The peer certificate is imported to the device memory.

  • Release the peer certificate
    1. Run system-view

      The system view is displayed.

    2. Run pki release-certificate peer { name peer-name | all }

      The peer certificate is released.

Verifying the Configuration

Run the display pki peer-certificate { name peer-name | all } command to check the imported peer certificate.

Configuring a Self-Signed Certificate or Local Certificate


If a device fails to request a local certificate from the CA, it can generate a self-signed certificate or local certificate. The generated certificate is saved in storage as a file and issued to a PKI entity. You can export the certificate and transfer it to another device.

  • A self-signed certificate is issued by a device to itself. Therefore, the issuer and subject of a self-signed certificate are identical.
  • A local certificate is issued by a device to itself according to the certificate issued by the CA. Therefore, the issuer of a local certificate is the CA.

A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate.


  1. Run system-view

    The system view is displayed.

  2. Run pki create-certificate [ self-signed ] filename file-name

    A self-signed certificate or local certificate is created.

    During the configuration, you will be prompted to enter the certificate information, such as PKI entity attributes, the certificate file name, the certificate validity period, and length of the RSA key pair.

    Specify the self-signed parameter to create a self-signed certificate. If this parameter is not specified, a local certificate is created.

    The file format of the created self-signed certificate or local certificate is PEM.

Adding a PKI to a Specified VPN


A device needs to communicate with the CA server to obtain and verify certificates. When the server is in a VPN, add a PKI realm to the VPN.

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  3. Run vpn-instance vpn-instance-name

    A PKI is added to a specified VPN.

    By default, a PKI does not belong to any VPN.

    The vpn-instance-name parameter is set by using the command.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 134921

Downloads: 242

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next