No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
A Local Certificate Failed to Be Obtained

A Local Certificate Failed to Be Obtained

Fault Symptom

  • The administrator applies for a local certificate in offline mode. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • The PKI entity configuration is incorrect.

    • The challenge password is incorrect or not configured.

    • The configuration about downloading the local certificate using HTTP or LDAP is incorrect.

  • The administrator applies for a local certificate using SCEP or CMPv2. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • No CA certificate exists in the PKI realm.

    • The PKI entity is incorrectly configured or not configured.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.

    • Digest method used for the signed certificate enrollment request is incorrect.

    • The challenge password is incorrect or not configured.

    • THe reference and secret values of MAC are incorrect or not configured.

    • The certificate for identity verification is incorrectly configured.

Procedure

  • Obtain a local certificate manually.
    1. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    2. Check whether the challenge password is correct.

      Confirm that the CA server requires a challenge password, and ensure that the challenge password configured on the device is the same as that of the CA server. To set the challenge password, run pki enroll-certificate.

    3. Check whether the configuration about downloading a CA certificate using HTTP or LDAP is correct.

      If not, modify the configuration using the pki http or pki ldap command.

  • Obtain a local certificate using SCEP or CMPv2.
    1. Check whether the CA certificate has been imported to the device memory.

      To view the CA certificate in memory, run display pki certificate.

      If no CA certificate exists, obtain a CA certificate and run pki import-certificate to import the certificate to memory.

    2. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    3. Check whether the CA certificate application configuration is correct in the PKI realm or CMP session.

      • PKI realm

        Run the display pki realm command in any view or the display this command in the PKI realm view.

        The following is a sample of local certificate application configuration:
        pki realm test                                                                   
         ca id ca_server   //Specify the CA trusted by the PKI realm.
         enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll   //Configure the URL for the certificate enrollment server.
         entity zzz   //Specify the PKI entity.
         rsa local-key-pair 8   //Specify the RSA key pair.
         password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#   //Configure the challenge password for SCEP certificate application, which is the same as that on the CA server.
         source interface gigabitethernet 1/0/2   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.
         enrollment-request signature message-digest-method sha1   //Configure the digest algorithm used by the signed certificate enrollment request, which is the same as that on the CA server.
        

        Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through SCEP.

      • CMP session

        Run the display this command in the CMP session view.

        The following is a sample of CA certificate application configuration:
        pki cmp session cmp                                                             
         cmp-request ca-name "C=cn,ST=beijing,L=SD,O=BB,OU=BB,CN=BB"   //Configure the CA name. The field order in a CA name must be the same as that in the CA certificate.
         cmp-request authentication-cert local.cer   //Configure the identity authentication certificate in the CMPv2 request, which is used for certificate update or certificate application for another device.
         cmp-request entity user01   //Specify the PKI entity.
         cmp-request server url http://10.3.0.1:8080   //Configure the URL for the CMPv2 server.
         cmp-request rsa local-key-pair rsa  regenerate   //Specify the RSA key pair.
         cmp-request message-authentication-code 1234 %^%#ZodFBGH[^BkU2(~>[NRBv|#b>se|@I7"'A,llG_B%^%#   //Configure the reference and secret values for MAC, which must be the same as those on the CA server.

        Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through CMPv2.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 113496

Downloads: 210

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next