No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring CMP-based Certificate Management

Configuring CMP-based Certificate Management

Configuring CMP-based certificate management involves creating RSA key pairs, configuring entity information, configuring CMP sessions, and obtaining certificates.

Usage Scenario

Two devices need to obtain each other's identity information during an IPSec negotiation. The NE20E can use either a pre-shared key or certificate for identity authentication. If you use certificates for device identity authentication, configure the devices to obtain certificates before they perform an IPSec negotiation.

The NE20E can obtain certificates either using CMP or in outband mode. CMP is recommended to obtain and manage certificates on a CMP-capable network that has many devices deployed.

Pre-configuration Tasks

Before configuring CMP-based certificate management, complete the following tasks:

  • Complete basic configurations for a CA server so that the CA server can automatically issue certificates.

  • Ensure that each device has a predefined certificate.

Configuration Procedures

Figure 13-2 Configuring CMP-based certificate management

Creating an RSA Key Pair

Before applying for certificates, create RSA key pairs.

Usage Scenario

Generating a key pair is important for applying a certificate. The key pair consists of a private key and a public key. The private key is reserved by a user, and the public key and other information are delivered to the CA. Then, the CA generates a certificate and signs it with the public key. If the private key is disclosed, the user must delete the old key pair, create a new key pair, and reapply for a certificate.

An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh, and LenAdleman and is a public key encryption algorithm. RSA key pairs are categorized into host key pairs and server key pairs. Each key pair is composed of a private key and a public key. These two key pairs are used by SSH. The server key pair is periodically changed by the local server, while the host key pair remains unchanged. The host key pair is used when you apply for a certificate.

NOTE:
  • If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the existing RSA key pairs before creating and renaming RSA key pairs.
  • After the key pair is deleted or replaced, the existing certificate becomes invalid. You need to apply for a new certificate, which ensures the RSA key pair and certificate match.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run rsa pki local-key-pair [ key-name ] create

    The local key pair is created.

  3. Run commit

    The configuration is committed.

Configuring Entity Information

When applying for certificates, an entity must add entity information to a certificate request file and send the file to the CA. The CA uses a piece of important information to describe an entity, and identifies the entity using a unique Distinguished Name (DN).

Context

The local certificate associates user identity information with the user public key, while the identity information must be associated with a specific PKI entity. The CA identifies the certificate applicant based on the identity information that the entity provides. The entity information includes:

  • Common name of the entity
  • Country code of the entity
  • Email address of the entity
  • Fully Qualified Domain Name (FQDN) of the entity
  • IP address of the entity
  • Name of the region where the entity resides
  • Organization name of the entity
  • Department name of the entity
  • State or province of the entity
NOTE:
In the entity information, the common name of the entity is mandatory. Whether to configure other attributes depends on the certificate issuing policy on the CA server. If the attributes used to filter certificates do not map the certificate issuing policy, certificate application will fail.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki entity entity-name

    An entity name is created and the entity view is displayed.

  3. Configure entity attributes.

    • Run common-name cn-name

      The common name of the entity is configured.

    • (Optional) Run country country-code

      The country code of the entity is specified.

    • (Optional) Run email email-address

      The email address of the entity is configured.

    • (Optional) Run fqdn fqdn-name

      The FQDN of the entity is configured.

    • (Optional) Run ip-address ip-address

      The IP address of the entity is configured.

    • (Optional) Run locality locality-name

      The name of the locality where the entity resides is specified.

    • (Optional) Run organization organization-name

      The organization name of the entity is specified.

    • (Optional) Run organization-unit org-unit

      The department name of the entity is configured.

    • (Optional) Run state state-province-name

      The department name of the entity is configured.

  4. Run commit

    The configuration is committed.

Configuring CMP Sessions

To configure a CMP session, specify an RSA key pair, a CA server name, and PKI entity information used to obtain a certificate using CMP.

Context

If you run the authentication-method rsa-sig command to use certificates for identity authentication, configure a mode for obtaining certificates.

If CMP is used to obtain and manage certificates, the NE20E and CA server establish a CMP session to exchange the information required for generating certificates. Before a CMP session is established, ensure that the NE20E has the following information to establish the CMP session:

  • PKI entity
  • RSA key pair
  • Name of the CA server with which the NE20E establishes the CMP session
  • Certificate for authenticating the identity of the NE20E
  • URL of the CMP server that receives CMP requests

Each digital certificate has a validity period. To ensure service availability, apply for a new certificate before the existing certificate expires. However, manual operation may leave certain certificates not updated. The NE20E supports automatic certificate update. The NE20E initiates a certificate update request to the connected CMPv2 server when the percentage of the certificate's remaining validity period reaches a specified value. The obtained certificate overwrites the certificate on the CF card and in the memory and that used during an IKE negotiation.

Perform the following steps on the NE20E that needs to use CMP to obtain a certificate:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki domain domain-name

    A PKI domain is created, and the PKI domain view is displayed.

  3. Run pki cmp session session-name

    A CMP session is created, and the CMP session view is displayed.

  4. Run cmp request entity entity-name

    A PKI entity is specified to initiate a CMP request.

  5. Run cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ]

    A local RSA key pair is specified to initiate a CMP request.

    An RSA key pair can be referenced by only one CMP session or PKI domain.

  6. Run cmp request ca-name ca-name

    A CA server is specified by its name to receive CMP requests.

  7. Run cmp request authentication-cert cert-name

    A certificate for device identity authentication is specified to initiate a CMP request.

  8. Run cmp request server url url-string

    A CMP server at a URL is specified to receive CMP requests.

  9. (Optional) Run cmp source interface interface-type interface-number

    The source interface of CMPv2 packets is configured. To be specific, the IP address of the configured source interface is used as the source IP address of the CMPv2 packets sent from the device to the CMPv2 server.

  10. Run commit

    The configuration is committed.

Configuring CMP-based Certificate Application

Three types of CMP requests are used in the CMP-based certificate application process: initialization requests (IRs) and key update requests (KURs). These three types of CMP requests can be used to complete certificate application and management.

Context

The NE20E supports IRs and KURs (also called certificate update requests).
  • IR: When the NE20E does not obtain a certificate authorized by a carrier, the NE20E needs to send an IR to request an identity authentication certificate.
  • KUR: Each certificate has a validity period with definite start and end dates. Two devices check whether each other's certificate has expired during an IKE negotiation. The IKE negotiation fails if either device's certificate expires. Therefore, the NE20E needs to update its certificate before the certificate expires. The NE20E supports automatic certificate update.

Certificates obtained by using IRs are saved in the CF card but do not take effect. These certificates take effect only after they are imported to the memory using the pki import-certificate command. Certificates obtained by using KURs can be automatically saved to the memory if the KUR function is enabled.

Perform the following steps on the NE20E that needs to apply for certificates:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki domain domain-name

    The PKI domain view is displayed.

  3. Run pki cmp initial-request

    The NE20E was configured to send an IR.

  4. (Optional) Stop the process of polling a CMP request.

    If the NE20E does not receive any response from the connected CA server after sending a CMP request, the NE20E polls the CMP request. You can perform this step to stop the CMP request polling process.

    1. Run pki cmp session session-name

      The CMP session view is displayed.

    2. Run cmp poll-request stop

      The process of polling a CMP request is stopped.

    3. Run quit

      The PKI domain view is displayed.

  5. Run quit

    The system view is displayed.

  6. Run pki import-certificate { ca | local } filename file-name

    Imports the CA certificate and local certificate obtained through the manual update to the memory.

  7. Run pki cmp session session-name

    The CMP session view is displayed.

  8. Run cmp request authentication-cert cert-name

    Configures a certificate for identity authentication in a CMPv2 request.

  9. Run quit

    The system view is displayed.

  10. Run pki import-certificate ca filename file-name

    The NE20E is configured to import CA certificates to the memory.

  11. (Optional) Enable the automatic certificate update function.
    1. Run pki domain domain-name

      The PKI domain view is displayed.

    2. Run pki cmp session session-name

      The CMP session view is displayed.

    3. Run certificate auto-update enable

      Automatic certificate update is enabled.

    4. (Optional) Run certificate update expire-time percent-num

      The percentage of the certificate's remaining validity period is configured.

  12. Run commit

    The configuration is committed.

  13. Checking the Configurations.

    If IR succeeded, there are DomainName_ir.cer, DomainName_caX.cer in CF card, and several DomainName_caX.cers, such as, DomainName_ca0.cer, DomainName_ca1.cer, DomainName_ca2.cer.

Verifying the Configuration of CMP-based Certificate Management

After configuring CMP-based certificate management, check the configurations.

Prerequisites

CMP-based certificate management has been configured.

Procedure

  1. Run the display rsa pki local-key-pair public command to check RSA key pairs.
  2. Run the display pki match-rsa-key certificate-filename file-name command to check the RSA key pair used by a specific certificate.
  3. Run the display pki cert-req filename file-name command to check the certificate request file with a specific name.
  4. Run the display pki certificate filename file-name command to check the certificate file with a specific name.
  5. Run the display pki crl filename file-name command to check the CRL file with a specific name.
  6. Run the display pki ca_list command to check the CA certificates and CRL in the memory of a device.
  7. Run the display pki cert_list command to check local certificates in the memory of a device.

Example

Run the display rsa pki local-key-pair public command to view RSA key pairs.

<HUAWEI> display rsa pki local-key-pair public
======================================================                          
 Time of the key pair created:14:59:36 2013/3/12.                               
 Key Name:test                                                                  
 Key Index:0                                                                    
 Key Modules:2048 bit                                                           
 Key Type :RSA signature key                                                    
======================================================                          
 Key code                                                                       
03820109                                                                        
  02820100                                                                      
    DCCC6305 0ABC63E3 ABD27CEA 77F19D8E 92A91F72                                
    4C99AB74 DAA84C66 51C644E9 344E033D 6919E487                                
    9E148CEB 94802A22 EF7BD338 9A7D1EC0 A6DFF9D3                                
    2EDD5444 836E2131 39BBDDC2 5A372DA1 78C5DC55                                
    CCEDE7AD A8F57255 999BEB43 A8D06E6E 2040DD41                                
    E7ED0075 5345F57F 447F15E7 2ED2CAE5 05DCF264                                
    E930F64E E6618510 DB893883 D3CC5379 41F38465                                
    0DFFB97C F06CAA4C C52EAE91 13EB6AAE 4B29B851                                
    E3C1811C 1812139B C2000757 35CDEAA8 E57804B0                                
    5AE100D1 9FD34D73 898FB570 EAAE15B5 74C7F437                                
    B32B54E6 B65BB4CC 0C610278 7F0CD545 6DB04102                                
    257D63E1 D31DA7C4 D153F605 ED0F2C31 DBA1C91C                                
    F347FE0A E4986589 7BC435EA D2E5F099                                         
  0203                                                                          
    010001                                                                      
                                                        

Run the display pki match-rsa-key certificate-filename file-name command to view the RSA key pair used by a certificate.

<HUAWEI> display pki match-rsa-key certificate-filename ocsp.cer
Info:The name of the key used in certificate file ocsp.cer is test.  
Run the display pki certificate filename file-name command to view certificate request file areq.req.
<HUAWEI> display pki certificate filename areq.req
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=tou,O=33,L=fd,C=CC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24:
                    a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1:
                    f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca:
                    0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c:
                    28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7:
                    84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39:
                    ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e:
                    82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d:
                    0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77:
                    2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2:
                    0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2:
                    f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06:
                    eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0:
                    92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9:
                    da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e:
                    49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb:
                    cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc:
                    4c:09
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        3f:91:7f:f6:36:a0:fb:f8:28:64:10:2c:cb:52:c6:ee:d1:ba:
        54:2f:13:ff:a7:dc:4d:61:bd:33:65:1d:31:f1:97:7c:36:64:
        c6:57:3b:5d:50:c4:21:7e:e1:78:93:df:54:fe:69:78:98:c5:
        35:6c:42:27:76:e0:c0:0f:b7:22:69:a4:e1:ad:ac:b4:e1:97:
        aa:0a:56:c9:f4:67:ff:a8:76:d8:bc:23:23:57:ff:aa:cf:24:
        8b:c2:05:b7:de:5e:e3:25:ec:f2:ac:f1:25:a5:dc:87:1f:6b:
        87:e5:9b:d8:69:63:a2:80:78:79:b4:9f:fa:d0:25:11:47:d8:
        5d:fc:dd:71:67:53:e9:2c:6e:28:86:2e:60:40:81:2a:58:08:
        63:11:79:10:83:74:4f:3b:81:42:46:4b:a1:8d:af:2a:20:83:
        d1:b4:66:8f:50:a2:9a:f7:c3:14:b8:12:5f:dc:ba:3e:5e:40:
        f1:0d:d9:f7:5a:46:29:b4:38:24:eb:6c:a8:aa:96:d3:c5:3c:
        10:0e:7e:04:0f:08:e9:81:fc:21:a6:b4:50:14:08:07:68:13:
        8a:04:da:d8:11:31:e4:40:74:c2:f9:6f:a9:6a:cf:cc:0d:52:
        75:09:d3:1b:fe:ab:e0:82:42:12:09:1e:29:bb:ae:53:73:e2:
        dc:df:a2:2f
Run the display pki certificate filename local.cer command to view local certificate file local.cer and run the display pki certificate filename ca.cer command to view CA certificate file ca.cer.
<HUAWEI> display pki certificate filename local.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:09:e4:f5:00:00:00:00:00:f5
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=pki1,DC=ipsec
        Validity
            Not Before: Jul 29 08:24:49 2011 GMT
            Not After : Jul 29 08:34:49 2012 GMT
        Subject: CN=tou,O=33,L=fd,C=CC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24:
                    a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1:
                    f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca:
                    0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c:
                    28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7:
                    84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39:
                    ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e:
                    82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d:
                    0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77:
                    2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2:
                    0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2:
                    f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06:
                    eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0:
                    92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9:
                    da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e:
                    49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb:
                    cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc:
                    4c:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                50:72:F9:97:88:83:CE:6E:AB:25:39:56:DD:B7:C2:05:E1:78:4C:FC
            X509v3 Authority Key Identifier:
                keyid:41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:F
F

            X509v3 CRL Distribution Points:
                URI:http://pki-1/CertEnroll/pki1.crl
                URI:file://\\pki-1\CertEnroll\pki1.crl

            Authority Information Access:
                CA Issuers - URI:http://pki-1/CertEnroll/pki-1_pki1.crt
                CA Issuers - URI:file://\\pki-1\CertEnroll\pki-1_pki1.crt

    Signature Algorithm: sha1WithRSAEncryption
        99:3e:bf:8c:b7:fb:54:6c:c3:a8:b8:2e:26:6b:7f:67:f7:e5:
        67:1c:a7:20:a7:ce:77:c7:9b:38:16:17:28:94:55:b6:db:54:
        1c:38:c8:c1:6e:70:81:9b:fa:4c:f9:b0:52:fe:18:72:d8:63:
        aa:6e:ec:75:87:c2:d0:6a:b8:93:0a:5f:bf:29:6b:71:b5:a2:
        70:bf:c0:ca:b4:12:83:09:c3:34:54:97:84:de:ee:a0:ea:24:
        50:f1:e8:d6:73:4f:07:d8:58:7c:c1:c6:52:9b:ca:2a:be:2e:
        ca:d3:05:76:d2:00:f0:bd:8e:c6:aa:99:05:0f:60:14:ee:0d:
        f6:7e:95:23:ae:63:9b:e4:e3:a0:6a:3f:a2:4f:cf:9f:48:42:
        54:fd:80:95:73:fd:c8:49:37:36:c1:a8:5c:65:81:af:4b:07:
        32:6d:bb:b8:43:41:86:83:49:0b:1f:6e:4f:56:ab:06:a9:42:
        f8:6e:5e:18:c5:94:45:39:b4:0b:b5:20:42:41:ac:a6:f5:b2:
        ca:1d:f9:d3:ca:ac:d5:a3:4d:2b:0f:27:3f:db:8a:9f:46:3b:
        86:38:72:08:63:aa:2c:c1:86:d6:13:08:5a:84:f0:91:2d:bf:
        85:74:c4:6b:67:19:4a:55:8a:3d:37:27:93:75:11:4d:4b:a6:
        3f:76:ca:04
<HUAWEI> display pki certificate filename ca.cer
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:e9:dc:41:0d:58:96:95:4d:d1:24:18:e7:7a:67:1f
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=pki1,DC=ipsec
        Validity
            Not Before: Jun  3 10:17:40 2011 GMT
            Not After : Jun  3 10:26:31 2021 GMT
        Subject: CN=pki1,DC=ipsec
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c9:4b:de:14:25:17:04:25:6b:63:21:2f:1c:ae:
                    53:d3:72:15:90:58:58:52:e2:40:83:6f:ed:f7:39:
                    83:e9:e5:04:fd:78:24:83:54:8c:7f:6d:ad:02:32:
                    69:5e:b0:2d:4a:1d:e5:da:8e:22:c2:81:e3:13:a7:
                    d7:42:9b:ca:2e:d9:68:be:7a:02:bb:78:39:75:e3:
                    11:e8:d5:95:09:f8:b5:4f:2c:8e:b4:f9:81:ba:d5:
                    2b:7b:9e:ba:90:f4:f4:84:c0:00:9b:4d:4e:6c:a9:
                    40:54:d2:78:d8:bb:9e:57:63:3a:21:17:eb:4e:74:
                    62:a8:94:b0:e2:81:a4:16:96:ed:91:e1:da:3f:93:
                    94:f8:ba:69:d5:3c:fe:55:ab:eb:5a:28:07:b2:98:
                    5a:32:6c:1b:12:21:b7:f6:10:a2:83:b6:88:af:97:
                    05:da:34:3e:e0:53:be:55:12:a8:a1:0d:4d:b7:de:
                    35:b8:51:3b:ec:7f:13:63:c4:76:fe:79:68:1c:74:
                    c7:30:8f:b1:88:88:dd:5b:4a:20:f2:dd:26:ea:b9:
                    34:98:2d:13:ff:8a:c4:67:bf:c7:a9:20:21:fa:41:
                    2b:ab:aa:6d:f8:ba:d2:e8:ba:39:78:bf:b4:8d:6e:
                    d8:c0:68:ac:bc:cb:48:aa:92:b2:a4:4e:e5:91:31:
                    03:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:FF
            X509v3 CRL Distribution Points:
                URI:http://pki-1/CertEnroll/pki1.crl
                URI:file://\\pki-1\CertEnroll\pki1.crl

            1.3.6.1.4.1.311.21.1:
                ...
    Signature Algorithm: sha1WithRSAEncryption
        50:f5:3b:38:ac:cb:43:c8:a6:c0:3b:b4:a4:6d:d0:87:8f:5e:
        6f:b6:f3:be:5b:0c:5a:06:8b:2c:fa:cd:b4:02:f6:2d:7c:56:
        88:88:4f:a7:a1:08:da:e0:69:f8:c6:c6:a6:8b:e9:53:4c:0e:
        74:55:23:19:dc:23:1f:b2:cc:47:87:04:fc:25:c4:fa:b9:1e:
        2f:0c:38:82:af:a7:75:5c:4a:42:8e:7c:eb:ca:36:ef:0b:84:
        fc:55:cb:8f:8b:85:cd:31:cf:c3:cd:10:7b:d8:76:40:1a:d5:
        3a:75:86:21:0b:f5:97:23:63:8f:09:32:78:18:db:71:32:2d:
        03:b9:20:77:a5:dd:e2:0a:39:9a:9f:10:57:56:24:23:44:c8:
        9f:e4:33:24:48:df:73:c7:48:2a:89:43:4c:86:32:c2:c3:17:
        e0:03:4a:e3:32:5b:a9:95:7b:0b:52:a4:72:bf:3c:ad:ee:cb:
        84:f1:c1:c4:9f:70:e5:23:75:d2:74:af:af:2e:17:c8:c7:f1:
        38:fa:86:58:1e:36:44:76:27:d6:73:2f:15:7c:af:75:a9:aa:
        d9:cf:6c:5c:ac:83:0c:45:61:66:6b:be:5b:fa:98:7b:19:92:
        93:90:c7:ae:81:d1:31:de:f6:3c:5d:be:ca:ce:67:0a:c3:23:
        da:ce:f0:1a

Run the display pki crl filename file-name command to view CRL file acrl.crl.

<HUAWEI> display pki crl filename acrl.crl
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=root4
        Last Update: May  5 08:45:59 2011 GMT
        Next Update: May 12 21:05:59 2011 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:3D:34:09:72:33:07:8F:5E:75:13:12:72:88:0F:71:02:CA:35:61:4
1

            1.3.6.1.4.1.311.21.1:
                ...
            X509v3 CRL Number:
                4
            1.3.6.1.4.1.311.21.4:
110512085559Z   .
            2.5.29.46:
                0X0V.T.R.&http://win2003-4/CertEnroll/root4+.crl.(file://\\win20
03-4\CertEnroll\root4+.crl
            1.3.6.1.4.1.311.21.14:
                0..0...........ldap:///CN=root4,CN=win2003-4,CN=CDP,CN=Public%20
Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base
?objectClass=cRLDistributionPoint
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
        99:19:e3:2e:8c:24:14:e1:bb:d1:c6:32:e8:54:8d:1c:e4:08:
        dc:0d:b1:3d:ca:5f:64:03:df:bc:8d:2f:fb:12:c9:ce:b2:e8:
        e6:9b:ac:b0:9e:52:4c:1f:3d:c1:23:d7:cc:b5:50:fc:9b:16:
        ab:a3:d9:06:c1:cf:4f:68:8b:aa:aa:82:ab:06:ab:c9:18:64:
        0c:29:a0:7c:e4:d2:89:55:f9:c8:b8:53:f5:fe:1a:81:e8:cd:
        4c:fd:a8:a4:4c:3d:f2:3e:74:f4:71:d1:a9:c4:ed:38:a0:bb:
        5c:90:a4:71:50:72:7b:f5:4b:68:af:68:b7:b0:8d:7d:f5:24:
        6d:77

Run the display pki ca_list command to view the CA certificates and CRL in the memory.

<HUAWEI> display pki ca_list
The x509 object  type is certificate:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:e9:dc:41:0d:58:96:95:4d:d1:24:18:e7:7a:67:1f
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=pki1,DC=ipsec
        Validity
            Not Before: Jun  3 10:17:40 2011 GMT
            Not After : Jun  3 10:26:31 2021 GMT
        Subject: CN=pki1,DC=ipsec
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c9:4b:de:14:25:17:04:25:6b:63:21:2f:1c:ae:
                    53:d3:72:15:90:58:58:52:e2:40:83:6f:ed:f7:39:
                    83:e9:e5:04:fd:78:24:83:54:8c:7f:6d:ad:02:32:
                    69:5e:b0:2d:4a:1d:e5:da:8e:22:c2:81:e3:13:a7:
                    d7:42:9b:ca:2e:d9:68:be:7a:02:bb:78:39:75:e3:
                    11:e8:d5:95:09:f8:b5:4f:2c:8e:b4:f9:81:ba:d5:
                    2b:7b:9e:ba:90:f4:f4:84:c0:00:9b:4d:4e:6c:a9:
                    40:54:d2:78:d8:bb:9e:57:63:3a:21:17:eb:4e:74:
                    62:a8:94:b0:e2:81:a4:16:96:ed:91:e1:da:3f:93:
                    94:f8:ba:69:d5:3c:fe:55:ab:eb:5a:28:07:b2:98:
                    5a:32:6c:1b:12:21:b7:f6:10:a2:83:b6:88:af:97:
                    05:da:34:3e:e0:53:be:55:12:a8:a1:0d:4d:b7:de:
                    35:b8:51:3b:ec:7f:13:63:c4:76:fe:79:68:1c:74:
                    c7:30:8f:b1:88:88:dd:5b:4a:20:f2:dd:26:ea:b9:
                    34:98:2d:13:ff:8a:c4:67:bf:c7:a9:20:21:fa:41:
                    2b:ab:aa:6d:f8:ba:d2:e8:ba:39:78:bf:b4:8d:6e:
                    d8:c0:68:ac:bc:cb:48:aa:92:b2:a4:4e:e5:91:31:
                    03:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:FF
            X509v3 CRL Distribution Points:
                URI:http://pki-1/CertEnroll/pki1.crl
                URI:file://\\pki-1\CertEnroll\pki1.crl

            1.3.6.1.4.1.311.21.1:
                ...
    Signature Algorithm: sha1WithRSAEncryption
        50:f5:3b:38:ac:cb:43:c8:a6:c0:3b:b4:a4:6d:d0:87:8f:5e:
        6f:b6:f3:be:5b:0c:5a:06:8b:2c:fa:cd:b4:02:f6:2d:7c:56:
        88:88:4f:a7:a1:08:da:e0:69:f8:c6:c6:a6:8b:e9:53:4c:0e:
        74:55:23:19:dc:23:1f:b2:cc:47:87:04:fc:25:c4:fa:b9:1e:
        2f:0c:38:82:af:a7:75:5c:4a:42:8e:7c:eb:ca:36:ef:0b:84:
        fc:55:cb:8f:8b:85:cd:31:cf:c3:cd:10:7b:d8:76:40:1a:d5:
        3a:75:86:21:0b:f5:97:23:63:8f:09:32:78:18:db:71:32:2d:
        03:b9:20:77:a5:dd:e2:0a:39:9a:9f:10:57:56:24:23:44:c8:
        9f:e4:33:24:48:df:73:c7:48:2a:89:43:4c:86:32:c2:c3:17:
        e0:03:4a:e3:32:5b:a9:95:7b:0b:52:a4:72:bf:3c:ad:ee:cb:
        84:f1:c1:c4:9f:70:e5:23:75:d2:74:af:af:2e:17:c8:c7:f1:
        38:fa:86:58:1e:36:44:76:27:d6:73:2f:15:7c:af:75:a9:aa:
        d9:cf:6c:5c:ac:83:0c:45:61:66:6b:be:5b:fa:98:7b:19:92:
        93:90:c7:ae:81:d1:31:de:f6:3c:5d:be:ca:ce:67:0a:c3:23:
        da:ce:f0:1a

Run the display pki cert_list command to view local certificates in the memory.

<HUAWEI> display pki cert_list
The  x509_obj type is Cert:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:09:e4:f5:00:00:00:00:00:f5
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=pki1,DC=ipsec
        Validity
            Not Before: Jul 29 08:24:49 2011 GMT
            Not After : Jul 29 08:34:49 2012 GMT
        Subject: CN=tou,O=33,L=fd,C=CC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24:
                    a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1:
                    f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca:
                    0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c:
                    28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7:
                    84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39:
                    ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e:
                    82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d:
                    0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77:
                    2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2:
                    0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2:
                    f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06:
                    eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0:
                    92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9:
                    da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e:
                    49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb:
                    cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc:
                    4c:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                50:72:F9:97:88:83:CE:6E:AB:25:39:56:DD:B7:C2:05:E1:78:4C:FC
            X509v3 Authority Key Identifier:
                keyid:41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:F
F

            X509v3 CRL Distribution Points:
                URI:http://pki-1/CertEnroll/pki1.crl
                URI:file://\\pki-1\CertEnroll\pki1.crl

            Authority Information Access:
                CA Issuers - URI:http://pki-1/CertEnroll/pki-1_pki1.crt
                CA Issuers - URI:file://\\pki-1\CertEnroll\pki-1_pki1.crt

    Signature Algorithm: sha1WithRSAEncryption
        99:3e:bf:8c:b7:fb:54:6c:c3:a8:b8:2e:26:6b:7f:67:f7:e5:
        67:1c:a7:20:a7:ce:77:c7:9b:38:16:17:28:94:55:b6:db:54:
        1c:38:c8:c1:6e:70:81:9b:fa:4c:f9:b0:52:fe:18:72:d8:63:
        aa:6e:ec:75:87:c2:d0:6a:b8:93:0a:5f:bf:29:6b:71:b5:a2:
        70:bf:c0:ca:b4:12:83:09:c3:34:54:97:84:de:ee:a0:ea:24:
        50:f1:e8:d6:73:4f:07:d8:58:7c:c1:c6:52:9b:ca:2a:be:2e:
        ca:d3:05:76:d2:00:f0:bd:8e:c6:aa:99:05:0f:60:14:ee:0d:
        f6:7e:95:23:ae:63:9b:e4:e3:a0:6a:3f:a2:4f:cf:9f:48:42:
        54:fd:80:95:73:fd:c8:49:37:36:c1:a8:5c:65:81:af:4b:07:
        32:6d:bb:b8:43:41:86:83:49:0b:1f:6e:4f:56:ab:06:a9:42:
        f8:6e:5e:18:c5:94:45:39:b4:0b:b5:20:42:41:ac:a6:f5:b2:
        ca:1d:f9:d3:ca:ac:d5:a3:4d:2b:0f:27:3f:db:8a:9f:46:3b:
        86:38:72:08:63:aa:2c:c1:86:d6:13:08:5a:84:f0:91:2d:bf:
        85:74:c4:6b:67:19:4a:55:8a:3d:37:27:93:75:11:4d:4b:a6:
        3f:76:ca:04
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 22185

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next