No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Applying for and Updating Local Certificate

Applying for and Updating Local Certificate

Context

NOTE:

The CA and local certificates have been set in the default domain when a device is delivered. To view the local certificate information, run the display pki certificate local realm default command.

Prerequisites

The Preconfiguring a Local Certificate is complete.

Configuration Procedure

Select one of the following methods to apply for and update a local certificate.

Applying for and Updating the Local Certificate Through SCEP

Context

Two methods are available to apply for the local certificate for a PKI entity through the Simple Certificate Enrollment Protocol (SCEP):

  • Automatic local certificate application and update

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device automatically applies for the local certificate through SCEP. Alternatively, if the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device automatically applies for and updates the local certificate through SCEP.

  • Manual local certificate application

    If the configuration required for local certificate application has been performed and the device has no local certificate, the device is manually triggered to apply for the local certificate through SCEP. If the local certificate will expire soon, has expired, or reaches the specified percentage of validity period, the device does not automatically apply for and update the local certificate through SCEP.

When you use either of the two methods to apply for the local certificate, the device obtains the CA certificate, saves it to the device storage and automatically imports it to the device memory. Then the device uses the public key in the CA certificate to encrypt its local certificate enrollment request and sends it to CA to apply for a local certificate. Finally the device saves the local certificate to the device storage and imports it to the device memory automatically.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki file-format { der | pem }

    The file format in which the device stores the certificate is configured.

    By default, the device stores the certificate into a PEM file.

  3. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  4. Run ca id ca-name

    A trusted CA is configured for the PKI realm.

    By default, no trusted CA is configured for a PKI realm.

    ca-name specifies the name of a CA server.

  5. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  6. Run rsa local-key-pair key-name

    The RSA key pair used in SCEP-based certificate application is configured.

    By default, the RSA key pair used in SCEP-based certificate application is not configured.

    The RSA key pair specified by key-name must have been created using the pki rsa local-key-pair create command.

  7. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  8. (Optional) Run source interface interface-type interface-number

    The source interface used in TCP connection setup is specified.

    By default, the source interface used in a TCP connection is an egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  9. (Optional) Run enrollment self-signed

    Self-signed certificate obtaining is configured for the PKI realm.

    By default, the certificate in a PKI realm, except the default PKI realm, is obtained in SCEP mode.

    The default certificate obtaining for the PKI realm default is self-signed.

    To implement default HTTPS functions or allow users to access the network temporarily, run this command.

  10. (Optional) Run enrollment-request specific

    The device is configured to use a certificate request packet of a specific format to apply for a certificate from the CA server.

    By default, the device uses a certificate request packet of the standard format to apply for a certificate from the CA server.

  11. (Optional) Run extension-request enterprise

    The extended attribute in the certificate enrollment request carries the object ID defined by Verisign.

    By default, the extended attribute in the certificate enrollment request carries the object ID defined by PKCS#9.

    To insert the object ID defined by Verisign into the local certificate extended attribute, run this command.

  12. Run enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]

    A CA server URL is configured.

    By default, the CA server URL is not configured.

    Pay attention to the following points:

    • If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.

      server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.

    • If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.

      The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://abc.com?page1, the corresponding URL is http://abc.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.abc.com?page1\x3f), the corresponding URL is http://www.abc.com\x3fpage1\\x3f.

    • If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times parameters.

    • If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.

  13. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    SHA2 algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  14. Run password cipher password

    The challenge password used in SCEP certificate application is configured. The challenge password is also called certificate revocation password.

    By default, the challenge password used in SCEP certificate application is not configured.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  15. Run fingerprint { md5 | sha1 | sha256 } fingerprint

    The CA certificate fingerprint used in CA certificate authentication is configured.

    By default, the CA certificate fingerprint used in CA certificate authentication is not configured.

    The fingerprint needs to be obtained offline from a CA server. For example, when Windows Server 2008 functions as the CA server, access the web page address http://host:port/certsrv/mscep_admin/ to obtain the CA certificate fingerprint. In the web page address, host specifies the CA server's IP address, and port specifies the CA server's port number.

  16. Configure the local certificate application and update mode.
    • Configure automatic application and update of local certificate.

      Run auto-enroll [ percent ] [ regenerate [ key-bit ] ] [ updated-effective ]

      The automatic certificate application and update function is enabled.

      By default, the automatic certificate application and update function is disabled.

    • Configure manual local certificate application.

      1. Run quit

        Return to the system view.

      2. Run pki enroll-certificate realm realm-name [ password password ]

        Manual certificate application is configured.

        If the password command is configured, the password parameter does not need to be specified. If both the password command and password parameter are configured, the password parameter setting takes effect.

Applying for and Updating the Local Certificate Through CMPv2

Context

If the device can access a CA and the CA supports the Certificate Management Protocol version 2 (CMPv2), the device can apply for and update the local certificate through CMPv2.

CMPv2-based local certificate application applies to the following situations:

  • Initial local certificate application using an initialization request (IR)

    The device sends the CA an IR to apply for the local certificate for the first time. In this situation, the device shows its identity to the CMPv2 server in either of the following ways:

    • Message authentication code: The device and CMPv2 server share a pair of message authentication code's reference values and secret values. When applying for the local certificate for the first time, the device adds this pair of reference values and key values to a certificate request and sends the request to the CMPv2 server. The CMPv2 server validates the reference values and secret values to authenticate the device.
    • Signature: The device sends an IR to the CA to initiate a certificate request and uses the private key for the certificate issued by another CA for signature protection.
  • Local certificate application for another device using a certification request (CR)

    The device has the local certificate issued by the CA and needs to apply for an additional local certificate for another device. In this situation, the device uses the existing certificate for identity authentication.

CMPv2 supports two local certificate update modes:

  • Manual certificate update using a key update request (KUR)

    A KUR, also called certificate update request, is used to update the device's existing certificate that has not expired and not revoked. During local certificate update, the device uses the existing certificate for identity authentication. The device can use the new or previous public key to update the local certificate.

    Applying for a local certificate using an IR is insecure. You are advised to update the local certificate and key pair using a KUR.

  • Automatic certificate update

    The device must apply for a new certificate before the existing certificate expires to prevent service interruptions. In manual certificate update mode, the device is more likely to forget certificate update. To avoid this problem, the device supports automatic certificate update. When the system detects that the certificate automatic update time expires, the system initiates a certificate update request to the CMPv2 server. The obtained new certificate will replace the certificate file in the device storage and certificate in the device memory without interrupting services.

    This method can be used to automatically update the local certificate obtained using an IR or updated using a KUR.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki file-format { der | pem }

    The file format in which the device stores the certificate is configured.

    By default, the device stores the certificate into a PEM file.

  3. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, no PKI realm is created.

  4. Run quit

    Return to the system view.

  5. Run pki cmp session session-name

    A CMP session is created and the CMP session view is displayed; or the CMP session view is displayed directly.

    By default, no CMP session is created.

    A CMP session is valid only on the local device and is unavailable to the CA and other devices.

  6. Run cmp-request entity entity-name

    The PKI entity name used in CMPv2-based certificate application is configured for the device.

    By default, the pki entity name used in CMPv2-based certificate application is not configured.

  7. Run cmp-request ca-name ca-name

    The CA name is configured for the CMP session.

    By default, no CA name is configured for a CMP session.

    The sequence of each field in the configured CA name must be the same as that in the CA certificate. Otherwise, the CMPv2 server considers the CA name incorrect.

  8. Run cmp-request server url [ esc ] url-addr

    The CMPv2 server URL is configured.

    By default, the CMPv2 server URL is not configured.

    url-addr can be the IP address or domain name format. If it is set to the domain name format, Domain Name System (DNS) must be correctly configured on a PKI entity so that the pki entity can resolve the domain name through the DNS server.

  9. Run cmp-request rsa local-key-pair key-name [ regenerate [ key-bit ] ]

    The RSA key pair used in CMPv2-based certificate application is configured.

    By default, the RSA key pair used in CMPv2-based certificate application is not configured.

    If the regenerate parameter is specified, the system generates a new RSA key pair to apply for a new certificate and uses the new certificate and RSA key pair to replace the previous ones during automatic certificate update. Otherwise, the system continues to use the previous RSA key pair during automatic certificate update.

  10. Run cmp-request realm realm-name

    The PKI realm used in CMPv2-based certificate application is configured.

    By default, the PKI realm used in CMPv2-based certificate application is not configured.

  11. (Optional) Run cmp-request verification-cert cert-file-name

    The certificate file used to validate the CA response signature is configured.

    By default, the certificate file used to validate the CA response signature is not configured.

    • If this command is configured and the CMPv2 server signs its certificate response, the device uses the certificate configured using this command to validate the server's response signature. The configured certificate is a CA certificate used to verify a CA's identity.
    • If this command is not configured and the CMPv2 server signs its certificate response, the device uses the certificates on the device and in the server's response to build a certificate chain and then validate the server's response signature. If the server uses the message authentication code to authenticate packets, the device uses the configured message authentication code to validate the server's response packet.

  12. Apply for the local certificate according to the actual situation.
    • Initial local certificate application using an IR

      1. Run cmp-request origin-authentication-method { message-authentication-code | signature }

        The authentication mode of CMPv2-based initial local certificate application is configured.

        By default, the authentication mode of CMPv2-based initial local certificate application is message authentication code.

        • message-authentication-code specifies the message authentication code mode. When this mode is selected, perform 12.b.

        • signature specifies the signature mode. When this mode is selected, perform 12.c.

      2. Run cmp-request message-authentication-code reference-value secret-value

        The message authentication code's reference values and secret values are configured.

        By default, the message authentication code's reference values and secret values are not configured.

        The message authentication code's reference values and secret values need to be obtained from the CMPv2 server in an outband way.

      3. Run cmp-request authentication-cert cert-name

        The certificate carried in a CMPv2 request for identity authentication is configured.

        By default, the certificate carried in a CMPv2 request for identity authentication is not configured.

        This certificate is an additional certificate and must be issued by another trusted certificate authority.

      4. Run quit

        Return to the system view.

      5. Run pki cmp initial-request session session-name

        The device sends an IR to apply for the local certificate with the CMPv2 server according to the CMP session configuration for the first time.

        After this command is configured, the system first checks the CMP session configuration to determine whether it can apply for the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates an initial certificate request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory. If the server provides a CA certificate in a response, the CA certificate is also saved in a file.

    • Local certificate application for another device using a CR

      1. Run cmp-request authentication-cert cert-name

        The certificate carried in a CMPv2 request for identity authentication is configured.

        By default, the certificate carried in a CMPv2 request for identity authentication is not configured.

        This certificate is the local certificate that the CA has issued to the device.

      2. Run quit

        Return to the system view.

      3. Run pki cmp certificate-request session session-name

        The device sends a CR to apply for the local certificate with the CMPv2 server according to the CMP session configuration.

        After this command is configured, the system first checks the CMP session configuration to determine whether it can update the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates a certificate update request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory.

  13. Update the local certificate according to the actual situation.
    • Manual certificate update using a KUR

      1. Run pki cmp session session-name

        The CMP session view is displayed directly.

      2. Run cmp-request authentication-cert cert-name

        The certificate carried in a CMPv2 request for identity authentication is configured.

        By default, the certificate carried in a CMPv2 request for identity authentication is not configured.

        This certificate is the local certificate that the CA has issued to the device and needs to be replaced by a new local certificate.

      3. Run quit

        Return to the system view.

      4. Run pki cmp keyupdate-request session session-name

        The device sends the CMPv2 server a KUR to update the key according to the CMP session configuration.

        When the device requests to update the key with the CMPv2 server, it also applies for a new local certificate.

        After this command is configured, the system first checks the CMP session configuration to determine whether it can update the local certificate. If the condition is not met, an error message is displayed. If the condition is met, the system initiates a certificate update request according to the configuration. The obtained certificate is saved in a file to the device storage without being imported into the memory.

    • Automatic certificate update

      1. Run pki cmp session session-name

        The CMP session view is displayed directly.

      2. Run cmp-request authentication-cert cert-name

        The certificate carried in a CMPv2 request for identity authentication is configured.

        By default, the certificate carried in a CMPv2 request for identity authentication is not configured.

        This certificate is the local certificate that the CA has issued to the device and needs to be replaced by a new local certificate.

      3. Run certificate auto-update enable

        The CMPv2-based automatic certificate update function is enabled.

        By default, the CMPv2-based automatic certificate update function is disabled.

      4. Run certificate update expire-time valid-percent

        The time when the local certificate is updated automatically is configured. The value is expressed as the percentage of the certificate validity period.

        The default certificate update time is 50% of the certificate validity period.

        After this command is configured, the system initiates a certificate update request and determines whether to create a new RSA key pair according to the cmp-request rsa local-key-pair command configuration when finding that the automatic certificate update time reaches the value specified by valid-percent. After the new certificate is obtained, the system replaces the previous certificate and RSA key pair with the new ones.

      5. Run quit

        Return to the system view.

  14. (Optional) Run undo pki cmp poll-request session session-name

    The ongoing CMP poll request is cancelled.

    If the server cannot respond to the client within a specified period after the client initiates a certificate-related request, the server requires the client to send a poll request at an interval until it responds to the client. If the client does not want to wait, it can cancel the ongoing CMP poll request to cancel certificate application.

Applying for the Local Certificate in Offline Mode

Context

If the CA server does not support SCEP or CMPv2, configure the device to apply for the local certificate in offline mode. Users generate a certificate request file on the device and then send the file to the CA in an outbound way (web, disk, or email) to apply for the local certificate. After applying for the certificate, users still need to download the certificate from the server where the certificate is stored and save it to the device storage.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

    A PKI realm is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI realm has its own parameters.

  3. Run entity entity-name

    A PKI entity that applies for a local certificate is specified.

    By default, no PKI entity that applies for a local certificate is specified.

    The PKI entity specified by entity-name must have been created using the pki entity command.

  4. Run rsa local-key-pair key-name

    The RSA key pair used in offline mode certificate application is configured.

    By default, the RSA key pair used in offline mode certificate application is not configured.

  5. Run enrollment-request signature message-digest-method { md5 | sha1 | sha-256 | sha-384 | sha-512 }

    The digest algorithm used to sign certificate enrollment requests is configured.

    By default, the digest algorithm used to sign certificate enrollment requests is sha-256.

    Other algorithms are more secure than md5 and sha1 algorithms and so are recommended.

    The digest algorithm used on a PKI entity must be the same as that used on the CA server.

  6. (Optional) Run key-usage { ike | ssl-client | ssl-server } *

    The certificate public key usage attribute is configured.

    By default, no certificate public key usage attribute is configured.

  7. (Optional) Run enrollment-request specific

    The device is configured to use a certificate request packet of a specific format to apply for a certificate from the CA server.

    By default, the device uses a certificate request packet of the standard format to apply for a certificate from the CA server.

  8. (Optional) Run extension-request enterprise

    The extended attribute in the certificate enrollment request carries the object ID defined by Verisign.

    By default, the extended attribute in the certificate enrollment request carries the object ID defined by PKCS#9.

    To insert the object ID defined by Verisign into the local certificate extended attribute, run this command.

  9. Run quit

    Return to the system view.

  10. Run pki file-format { der | pem }

    The file format in which the device stores the certificate and certificate request is configured.

    By default, the device stores the certificate and certificate request into a PEM file.

  11. Run pki enroll-certificate realm realm-name pkcs10 [ filename filename ] [ password password ]

    The device is configured to save certificate application information into a file in PKCS#10 format.

    The challenge password used on a PKI entity must be the same as that configured on the CA server. If the CA server does not require a challenge password, this challenge password does not need to be configured.

  12. Enable the device to send the CA the certificate request file in an outbound way (web, disk, or email) to apply for the local certificate.

Verifying the Local Certificate Application and Update Configuration

Prerequisites

The local certificate application and update configuration has been completed.

Procedure

  • Run the display pki realm [ realm-name ] command to check PKI realm information.
  • Run the display pki credential-storage-path command to check the default path where a PKI certificate is stored.
  • Run the display pki certificate enroll-status [ realm realm-name ] command to check the certificate enrollment status.
  • Run the display pki cert-req filename file-name command to check the certificate request file.
  • Run the display pki cmp statistics [ session session-name ] command to check CMP session statistics.
  • Run the display pki certificate { ca | local } realm realm-name command to check the loaded CA certificate and local certificate.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 94950

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next