No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Preconfiguring a Local Certificate

Preconfiguring a Local Certificate

Configuring a PKI Entity

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. PKI entity information contains the identity information of the entity. The CA identifies a certificate applicant based on identity information provided by the entity. Therefore, the PKI entity must send the certificate enrollment request carrying PKI entity information to the CA when applying for a local certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki entity entity-name

    A PKI entity is created and the PKI entity view is displayed; or the PKI entity view is displayed directly.

    By default, no PKI entity is configured.

    NOTE:

    Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

  3. Run common-name common-name

    A common name is configured for the PKI entity.

    By default, no common name is configured for a PKI entity.

    To uniquely identify an applicant, you can run the following optional commands to configure the alias name for the PKI entity. If you do not configure alias names for the PKI entities that have the same common name, each of them will fail to apply for a certificate.

  4. (Optional) Run ip-address [ unstructed-address ] { ipv4-address | interface-type interface-number }

    An IP address is configured for the PKI entity.

    By default, no IP address is configured for a PKI entity.

    If the enrollment-request specific command is executed, the unstructed-name parameter can be specified for the PKI entity.

  5. (Optional) Run fqdn [ unstructed-name ] fqdn-name

    A fully qualified domain name (FQDN) is configured for the PKI entity.

    By default, no FQDN name is configured for a PKI entity.

    If the enrollment-request specific command is executed, the unstructed-name parameter can be specified for the PKI entity.

  6. (Optional) Run email email-address

    An email address is configured for the PKI entity.

    By default, no email address is configured for a PKI entity.

  7. (Optional) Run country country-code

    A country code is configured for the PKI entity.

    By default, no country code is configured for a PKI entity.

  8. (Optional) Run locality locality-name

    A geographic area is configured for the PKI entity.

    By default, no geographic area is configured for a PKI entity.

  9. (Optional) Run state state-name

    A state name or province name is configured for the PKI entity.

    By default, no state name or province name is configured for a PKI entity.

  10. (Optional) Run organization organization-name

    An organization name is configured for the PKI entity.

    By default, no organization name is configured for a PKI entity.

  11. (Optional) Run organization-unit organization-unit-name

    A department name is configured for the PKI entity.

    By default, no department name is configured for a PKI entity.

  12. (Optional) Run serial-number

    The serial number of a device is added to the PKI entity.

    By default, the serial number of a device is not added to the PKI entity.

Configuring an RSA Key Pair

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. Therefore, before applying for a local certificate, you must configure the RSA key pair to generate public and private keys. The public key is sent by the PKI entity to CA, and the peer uses this key to encrypt plaintext. The private key is kept by the PKI entity itself, and the PKI entity uses it to digitally sign and decrypt the ciphertext from peer.

You can configure an RSA key pair using either of the following methods:

  • Create an RSA key pair.

    You can directly create a key pair on the device, removing the need to import the key pair to the device memory.

  • Import an RSA key pair.

    To use the key pair generated by another PKI entity, upload the key pair to the device through FTP or SFTP and then import it into the device memory. Otherwise, the key pair does not take effect on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run the following commands as required.
    • Create an RSA key pair.

      Run pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]

      An RSA key pair is created to apply for a local certificate.

    • Import an RSA key pair.

      Run pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ exportable ] [ password password ]

      Or run pki import rsa-key-pair key-name der file-name [ exportable ]

      The specified RSA key pair and certificate in the specified file are imported into the device memory.

      NOTE:

      Only when the exportable parameter is specified in the command, the imported RSA key pair can be exported.

      Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

Follow-up Procedure
  • To back up RSA key pairs or use RSA key pairs on other devices, run the pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password command to export the specified RSA key pair into the device memory. In addition to the RSA key pair, its associated certificate will also be exported. Subsequently, the RSA key pair can be obtained using FTP or SFTP.

  • When RSA key pairs are leaked, damaged, lost or not used, run the pki rsa local-key-pair destroy key-name command to destroy a specified RSA key pair.

    After this command is executed, the specified RSA key pair is deleted from the active device, and it is also deleted from the standby device.

  • To check the RSA key pair corresponding to a certificate, run the pki match-rsa-key certificate-filename file-name command to configure a device to search for the RSA key pair associated with a specific certificate.

Configuring a PKI Entity to Obtain a CA Certificate

Context

When applying for a local certificate, the PKI entity sends the certificate enrollment request to the CA. To improve transmission security, the PKI entity must use the CA's public key to encrypt the certificate enrollment message. Therefore, the PKI entity must have the CA's certificate and obtain the public key from the CA certificate.

NOTE:

The CA and local certificates have been set in the default domain when a device is delivered. To view the CA certificate information, run the display pki certificate ca realm default command.

Configuration Procedure

A PKI entity must download and then install a CA certificate.

Downloading a CA Certificate for a PKI Entity

Context

Several methods are available to download a CA certificate, depending on the service types provided by the CA:

  • Download the CA certificate from the CA server through SCEP into the device storage.

  • Download the CA certificate from the web server to the device storage through HTTP.

  • Download the CA certificate from the server where the certificate is stored to the device storage through LDAP.

  • Download the CA certificate from the CMPv2 server through CMPv2 into the device storage.

  • Obtain the CA certificate in an outbound way (web, disk, or email) and then upload it to the device storage.

If a PKI entity applies for a local certificate through CMPv2, the root certificate of the CA server is downloaded.

Procedure

  • Download a CA certificate through SCEP.

    For the configuration about downloading CA certificate through SCEP, see Applying for and Updating the Local Certificate Through SCEP.

  • Download a CA certificate through the Hypertext Transfer Protocol (HTTP).
    1. Run system-view

      The system view is displayed.

    2. Run pki http [ esc ] url-address save-name

      A CA certificate is downloaded through HTTP.

      url-address must include a complete certificate file name and file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  • Download a CA certificate through the Lightweight Directory Access Protocol (LDAP).
    1. Run system-view

      The system view is displayed.

    2. Run pki ldap ip ip-address port port version version [ attribute attr-value ] [ authentication ldap-dn ldap-password ] save-name dn dn-value

      A CA certificate is downloaded through LDAP.

  • Download a CA certificate through CMPv2.

    For the configuration about downloading CA certificate through CMPv2, see Applying for and Updating the Local Certificate Through CMPv2.

  • Download a CA certificate in an outbound way.

    After you obtain a CA certificate in an outbound way (web, disk, or email), manually upload it to the device storage. You can also download a CA certificate through the administrator's PC and then upload it to the device storage through FTP or SFTP, or web system.

(Optional) Installing a CA Certificate for a PKI Entity

Context

A downloaded CA certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

NOTE:

To prevent a failure to install the CA certificate, ensure that the CA certificate file size does not exceed 1 MB.

When the SCEP is used, the device automatically installs the CA certificate, and you do not need to manually install the CA certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate { ca realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ] | realm realm-name pem terminal password password }

    Or run pki import-certificate ca realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

    The CA certificate is imported into the device memory.

  3. (Optional) Run pki set-certificate expire-prewarning day

    The expiry prewarning time of the CA certificate in the device memory is configured.

    The default expiry prewarning time of the CA certificate in the device memory is 7 days.

Follow-up Procedure
  • To copy a CA certificate to another device, run the pki export-certificate ca realm realm-name { der | pem | pkcs12 } command. Subsequently, the CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • To copy a default built-in CA certificate to another device, run the pki export-certificate default ca filename filename command. Subsequently, the default built-in CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • If a CA certificate expires or is not in use, run the pki delete-certificate ca realm realm-name command to delete the CA certificate from the device memory.

Verifying the Local Certificate Preconfiguration

Prerequisites

A PKI entity, an RSA key pair, and a CA certificate have been configured.

Procedure

  • Run the display pki entity [ entity-name ] command to check PKI entity information.
  • Run the display pki rsa local-key-pair { pem | pkcs12 } filename [ password password ] command to check RSA key pair information.
  • Run the display pki rsa local-key-pair [ name key-name ] public [ temporary ] command to check RSA public key information.
  • Run the display pki realm [ realm-name ] command to check PKI realm information.
  • Run the display pki certificate ca realm realm-name command to check the loaded CA certificate.
  • Run the display pki credential-storage-path command to check the default path where a PKI certificate is stored.
  • Run the display pki ca-capability realm realm-name command to check the CA capabilities of a PKI domain.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95328

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next