Configuring CMP-based Certificate Management
Configuring CMP-based certificate management involves creating RSA key pairs, configuring entity information, configuring CMP sessions, and obtaining certificates.
Usage Scenario
Two devices need to obtain each other's identity information during an IPSec negotiation. The NE20E can use either a pre-shared key or certificate for identity authentication. If you use certificates for device identity authentication, configure the devices to obtain certificates before they perform an IPSec negotiation.
The NE20E can obtain certificates either using CMP or in outband mode. CMP is recommended to obtain and manage certificates on a CMP-capable network that has many devices deployed.
Pre-configuration Tasks
Before configuring CMP-based certificate management, complete the following tasks:
Complete basic configurations for a CA server so that the CA server can automatically issue certificates.
Ensure that each device has a predefined certificate.
Configuration Procedures
- Creating an RSA Key Pair
Before applying for certificates, create RSA key pairs. - Configuring Entity Information
When applying for certificates, an entity must add entity information to a certificate request file and send the file to the CA. The CA uses a piece of important information to describe an entity, and identifies the entity using a unique Distinguished Name (DN). - Configuring CMP Sessions
To configure a CMP session, specify an RSA key pair, a CA server name, and PKI entity information used to obtain a certificate using CMP. - Configuring CMP-based Certificate Application
Three types of CMP requests are used in the CMP-based certificate application process: initialization requests (IRs) and key update requests (KURs). These three types of CMP requests can be used to complete certificate application and management. - Verifying the Configuration of CMP-based Certificate Management
After configuring CMP-based certificate management, check the configurations.
Creating an RSA Key Pair
Before applying for certificates, create RSA key pairs.
Usage Scenario
Generating a key pair is important for applying a certificate. The key pair consists of a private key and a public key. The private key is reserved by a user, and the public key and other information are delivered to the CA. Then, the CA generates a certificate and signs it with the public key. If the private key is disclosed, the user must delete the old key pair, create a new key pair, and reapply for a certificate.
An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh, and LenAdleman and is a public key encryption algorithm. RSA key pairs are categorized into host key pairs and server key pairs. Each key pair is composed of a private key and a public key. These two key pairs are used by SSH. The server key pair is periodically changed by the local server, while the host key pair remains unchanged. The host key pair is used when you apply for a certificate.
NOTE: - If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the existing RSA key pairs before creating and renaming RSA key pairs.
- After the key pair is deleted or replaced, the existing certificate becomes invalid. You need to apply for a new certificate, which ensures the RSA key pair and certificate match.
Configuring Entity Information
When applying for certificates, an entity must add entity information to a certificate request file and send the file to the CA. The CA uses a piece of important information to describe an entity, and identifies the entity using a unique Distinguished Name (DN).
Context
The local certificate associates user identity information with the user public key, while the identity information must be associated with a specific PKI entity. The CA identifies the certificate applicant based on the identity information that the entity provides. The entity information includes:
- Common name of the entity
- Country code of the entity
- Email address of the entity
- Fully Qualified Domain Name (FQDN) of the entity
- IP address of the entity
- Name of the region where the entity resides
- Organization name of the entity
- Department name of the entity
- State or province of the entity
NOTE: Procedure
- Run system-view
The system view is displayed.
- Run pki entity entity-name
An entity name is created and the entity view is displayed.
- Configure entity attributes.
Run common-name cn-name
The common name of the entity is configured.
(Optional) Run country country-code
The country code of the entity is specified.
(Optional) Run email email-address
The email address of the entity is configured.
(Optional) Run fqdn fqdn-name
The FQDN of the entity is configured.
(Optional) Run ip-address ip-address
The IP address of the entity is configured.
(Optional) Run locality locality-name
The name of the locality where the entity resides is specified.
(Optional) Run organization organization-name
The organization name of the entity is specified.
(Optional) Run organization-unit org-unit
The department name of the entity is configured.
(Optional) Run state state-province-name
The department name of the entity is configured.
- Run commit
The configuration is committed.
Configuring CMP Sessions
To configure a CMP session, specify an RSA key pair, a CA server name, and PKI entity information used to obtain a certificate using CMP.
Context
If you run the authentication-method rsa-sig command to use certificates for identity authentication, configure a mode for obtaining certificates.
If CMP is used to obtain and manage certificates, the NE20E and CA server establish a CMP session to exchange the information required for generating certificates. Before a CMP session is established, ensure that the NE20E has the following information to establish the CMP session:
- PKI entity
- RSA key pair
- Name of the CA server with which the NE20E establishes the CMP session
- Certificate for authenticating the identity of the NE20E
- URL of the CMP server that receives CMP requests
Each digital certificate has a validity period. To ensure service availability, apply for a new certificate before the existing certificate expires. However, manual operation may leave certain certificates not updated. The NE20E supports automatic certificate update. The NE20E initiates a certificate update request to the connected CMPv2 server when the percentage of the certificate's remaining validity period reaches a specified value. The obtained certificate overwrites the certificate on the CF card and in the memory and that used during an IKE negotiation.
Perform the following steps on the NE20E that needs to use CMP to obtain a certificate:
Procedure
- Run system-view
The system view is displayed.
- Run pki domain domain-name
A PKI domain is created, and the PKI domain view is displayed.
- Run pki cmp session session-name
A CMP session is created, and the CMP session view is displayed.
- Run cmp request entity entity-name
A PKI entity is specified to initiate a CMP request.
- Run cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ]
A local RSA key pair is specified to initiate a CMP request.
![]()
An RSA key pair can be referenced by only one CMP session or PKI domain. - Run cmp request ca-name ca-name
A CA server is specified by its name to receive CMP requests.
- Run cmp request authentication-cert cert-name
A certificate for device identity authentication is specified to initiate a CMP request.
- Run cmp request server url url-string
A CMP server at a URL is specified to receive CMP requests.
- (Optional) Run cmp source interface interface-type interface-number
The source interface of CMPv2 packets is configured. To be specific, the IP address of the configured source interface is used as the source IP address of the CMPv2 packets sent from the device to the CMPv2 server.
- Run commit
The configuration is committed.
Configuring CMP-based Certificate Application
Three types of CMP requests are used in the CMP-based certificate application process: initialization requests (IRs) and key update requests (KURs). These three types of CMP requests can be used to complete certificate application and management.
Context
- IR: When the NE20E does not obtain a certificate authorized by a carrier, the NE20E needs to send an IR to request an identity authentication certificate.
- KUR: Each certificate has a validity period with definite start and end dates. Two devices check whether each other's certificate has expired during an IKE negotiation. The IKE negotiation fails if either device's certificate expires. Therefore, the NE20E needs to update its certificate before the certificate expires. The NE20E supports automatic certificate update.
Certificates obtained by using IRs are saved in the CF card but do not take effect. These certificates take effect only after they are imported to the memory using the pki import-certificate command. Certificates obtained by using KURs can be automatically saved to the memory if the KUR function is enabled.
Perform the following steps on the NE20E that needs to apply for certificates:
Procedure
- Run system-view
The system view is displayed.
- Run pki domain domain-name
The PKI domain view is displayed.
- Run pki cmp initial-request
The NE20E was configured to send an IR.
- (Optional) Stop the process of polling a CMP request.
If the NE20E does not receive any response from the connected CA server after sending a CMP request, the NE20E polls the CMP request. You can perform this step to stop the CMP request polling process.
- Run quit
The system view is displayed.
- Run pki import-certificate { ca | local } filename file-name
Imports the CA certificate and local certificate obtained through the manual update to the memory.
- Run pki cmp
session session-name
The CMP session view is displayed.
- Run cmp request authentication-cert cert-name
Configures a certificate for identity authentication in a CMPv2 request.
- Run quit
The system view is displayed.
- Run pki import-certificate ca filename file-name
The NE20E is configured to import CA certificates to the memory.
- (Optional) Enable the automatic certificate update function.
- Run commit
The configuration is committed.
- Checking the Configurations.
If IR succeeded, there are DomainName_ir.cer, DomainName_caX.cer in CF card, and several DomainName_caX.cers, such as, DomainName_ca0.cer, DomainName_ca1.cer, DomainName_ca2.cer.
Verifying the Configuration of CMP-based Certificate Management
After configuring CMP-based certificate management, check the configurations.
Procedure
- Run the display rsa pki local-key-pair public command to check RSA key pairs.
- Run the display pki match-rsa-key certificate-filename file-name command to check the RSA key pair used by a specific certificate.
- Run the display pki cert-req filename file-name command to check the certificate request file with a specific name.
- Run the display pki certificate filename file-name command to check the certificate file with a specific name.
- Run the display pki crl filename file-name command to check the CRL file with a specific name.
- Run the display pki ca_list command to check the CA certificates and CRL in the memory of a device.
- Run the display pki cert_list command to check local certificates in the memory of a device.
Example
Run the display rsa pki local-key-pair public command to view RSA key pairs.
<HUAWEI> display rsa pki local-key-pair public
======================================================
Time of the key pair created:14:59:36 2013/3/12.
Key Name:test
Key Index:0
Key Modules:2048 bit
Key Type :RSA signature key
======================================================
Key code
03820109
02820100
DCCC6305 0ABC63E3 ABD27CEA 77F19D8E 92A91F72
4C99AB74 DAA84C66 51C644E9 344E033D 6919E487
9E148CEB 94802A22 EF7BD338 9A7D1EC0 A6DFF9D3
2EDD5444 836E2131 39BBDDC2 5A372DA1 78C5DC55
CCEDE7AD A8F57255 999BEB43 A8D06E6E 2040DD41
E7ED0075 5345F57F 447F15E7 2ED2CAE5 05DCF264
E930F64E E6618510 DB893883 D3CC5379 41F38465
0DFFB97C F06CAA4C C52EAE91 13EB6AAE 4B29B851
E3C1811C 1812139B C2000757 35CDEAA8 E57804B0
5AE100D1 9FD34D73 898FB570 EAAE15B5 74C7F437
B32B54E6 B65BB4CC 0C610278 7F0CD545 6DB04102
257D63E1 D31DA7C4 D153F605 ED0F2C31 DBA1C91C
F347FE0A E4986589 7BC435EA D2E5F099
0203
010001
Run the display pki match-rsa-key certificate-filename file-name command to view the RSA key pair used by a certificate.
<HUAWEI> display pki match-rsa-key certificate-filename ocsp.cer
Info:The name of the key used in certificate file ocsp.cer is test.
<HUAWEI> display pki certificate filename areq.req
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=tou,O=33,L=fd,C=CC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24:
a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1:
f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca:
0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c:
28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7:
84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39:
ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e:
82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d:
0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77:
2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2:
0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2:
f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06:
eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0:
92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9:
da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e:
49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb:
cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc:
4c:09
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
3f:91:7f:f6:36:a0:fb:f8:28:64:10:2c:cb:52:c6:ee:d1:ba:
54:2f:13:ff:a7:dc:4d:61:bd:33:65:1d:31:f1:97:7c:36:64:
c6:57:3b:5d:50:c4:21:7e:e1:78:93:df:54:fe:69:78:98:c5:
35:6c:42:27:76:e0:c0:0f:b7:22:69:a4:e1:ad:ac:b4:e1:97:
aa:0a:56:c9:f4:67:ff:a8:76:d8:bc:23:23:57:ff:aa:cf:24:
8b:c2:05:b7:de:5e:e3:25:ec:f2:ac:f1:25:a5:dc:87:1f:6b:
87:e5:9b:d8:69:63:a2:80:78:79:b4:9f:fa:d0:25:11:47:d8:
5d:fc:dd:71:67:53:e9:2c:6e:28:86:2e:60:40:81:2a:58:08:
63:11:79:10:83:74:4f:3b:81:42:46:4b:a1:8d:af:2a:20:83:
d1:b4:66:8f:50:a2:9a:f7:c3:14:b8:12:5f:dc:ba:3e:5e:40:
f1:0d:d9:f7:5a:46:29:b4:38:24:eb:6c:a8:aa:96:d3:c5:3c:
10:0e:7e:04:0f:08:e9:81:fc:21:a6:b4:50:14:08:07:68:13:
8a:04:da:d8:11:31:e4:40:74:c2:f9:6f:a9:6a:cf:cc:0d:52:
75:09:d3:1b:fe:ab:e0:82:42:12:09:1e:29:bb:ae:53:73:e2:
dc:df:a2:2f
<HUAWEI> display pki certificate filename local.cer Certificate: Data: Version: 3 (0x2) Serial Number: 61:09:e4:f5:00:00:00:00:00:f5 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=pki1,DC=ipsec Validity Not Before: Jul 29 08:24:49 2011 GMT Not After : Jul 29 08:34:49 2012 GMT Subject: CN=tou,O=33,L=fd,C=CC Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24: a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1: f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca: 0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c: 28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7: 84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39: ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e: 82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d: 0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77: 2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2: 0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2: f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06: eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0: 92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9: da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e: 49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb: cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc: 4c:09 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 50:72:F9:97:88:83:CE:6E:AB:25:39:56:DD:B7:C2:05:E1:78:4C:FC X509v3 Authority Key Identifier: keyid:41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:F F X509v3 CRL Distribution Points: URI:http://pki-1/CertEnroll/pki1.crl URI:file://\\pki-1\CertEnroll\pki1.crl Authority Information Access: CA Issuers - URI:http://pki-1/CertEnroll/pki-1_pki1.crt CA Issuers - URI:file://\\pki-1\CertEnroll\pki-1_pki1.crt Signature Algorithm: sha1WithRSAEncryption 99:3e:bf:8c:b7:fb:54:6c:c3:a8:b8:2e:26:6b:7f:67:f7:e5: 67:1c:a7:20:a7:ce:77:c7:9b:38:16:17:28:94:55:b6:db:54: 1c:38:c8:c1:6e:70:81:9b:fa:4c:f9:b0:52:fe:18:72:d8:63: aa:6e:ec:75:87:c2:d0:6a:b8:93:0a:5f:bf:29:6b:71:b5:a2: 70:bf:c0:ca:b4:12:83:09:c3:34:54:97:84:de:ee:a0:ea:24: 50:f1:e8:d6:73:4f:07:d8:58:7c:c1:c6:52:9b:ca:2a:be:2e: ca:d3:05:76:d2:00:f0:bd:8e:c6:aa:99:05:0f:60:14:ee:0d: f6:7e:95:23:ae:63:9b:e4:e3:a0:6a:3f:a2:4f:cf:9f:48:42: 54:fd:80:95:73:fd:c8:49:37:36:c1:a8:5c:65:81:af:4b:07: 32:6d:bb:b8:43:41:86:83:49:0b:1f:6e:4f:56:ab:06:a9:42: f8:6e:5e:18:c5:94:45:39:b4:0b:b5:20:42:41:ac:a6:f5:b2: ca:1d:f9:d3:ca:ac:d5:a3:4d:2b:0f:27:3f:db:8a:9f:46:3b: 86:38:72:08:63:aa:2c:c1:86:d6:13:08:5a:84:f0:91:2d:bf: 85:74:c4:6b:67:19:4a:55:8a:3d:37:27:93:75:11:4d:4b:a6: 3f:76:ca:04 <HUAWEI> display pki certificate filename ca.cer Certificate: Data: Version: 3 (0x2) Serial Number: 02:e9:dc:41:0d:58:96:95:4d:d1:24:18:e7:7a:67:1f Signature Algorithm: sha1WithRSAEncryption Issuer: CN=pki1,DC=ipsec Validity Not Before: Jun 3 10:17:40 2011 GMT Not After : Jun 3 10:26:31 2021 GMT Subject: CN=pki1,DC=ipsec Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c9:4b:de:14:25:17:04:25:6b:63:21:2f:1c:ae: 53:d3:72:15:90:58:58:52:e2:40:83:6f:ed:f7:39: 83:e9:e5:04:fd:78:24:83:54:8c:7f:6d:ad:02:32: 69:5e:b0:2d:4a:1d:e5:da:8e:22:c2:81:e3:13:a7: d7:42:9b:ca:2e:d9:68:be:7a:02:bb:78:39:75:e3: 11:e8:d5:95:09:f8:b5:4f:2c:8e:b4:f9:81:ba:d5: 2b:7b:9e:ba:90:f4:f4:84:c0:00:9b:4d:4e:6c:a9: 40:54:d2:78:d8:bb:9e:57:63:3a:21:17:eb:4e:74: 62:a8:94:b0:e2:81:a4:16:96:ed:91:e1:da:3f:93: 94:f8:ba:69:d5:3c:fe:55:ab:eb:5a:28:07:b2:98: 5a:32:6c:1b:12:21:b7:f6:10:a2:83:b6:88:af:97: 05:da:34:3e:e0:53:be:55:12:a8:a1:0d:4d:b7:de: 35:b8:51:3b:ec:7f:13:63:c4:76:fe:79:68:1c:74: c7:30:8f:b1:88:88:dd:5b:4a:20:f2:dd:26:ea:b9: 34:98:2d:13:ff:8a:c4:67:bf:c7:a9:20:21:fa:41: 2b:ab:aa:6d:f8:ba:d2:e8:ba:39:78:bf:b4:8d:6e: d8:c0:68:ac:bc:cb:48:aa:92:b2:a4:4e:e5:91:31: 03:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:FF X509v3 CRL Distribution Points: URI:http://pki-1/CertEnroll/pki1.crl URI:file://\\pki-1\CertEnroll\pki1.crl 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 50:f5:3b:38:ac:cb:43:c8:a6:c0:3b:b4:a4:6d:d0:87:8f:5e: 6f:b6:f3:be:5b:0c:5a:06:8b:2c:fa:cd:b4:02:f6:2d:7c:56: 88:88:4f:a7:a1:08:da:e0:69:f8:c6:c6:a6:8b:e9:53:4c:0e: 74:55:23:19:dc:23:1f:b2:cc:47:87:04:fc:25:c4:fa:b9:1e: 2f:0c:38:82:af:a7:75:5c:4a:42:8e:7c:eb:ca:36:ef:0b:84: fc:55:cb:8f:8b:85:cd:31:cf:c3:cd:10:7b:d8:76:40:1a:d5: 3a:75:86:21:0b:f5:97:23:63:8f:09:32:78:18:db:71:32:2d: 03:b9:20:77:a5:dd:e2:0a:39:9a:9f:10:57:56:24:23:44:c8: 9f:e4:33:24:48:df:73:c7:48:2a:89:43:4c:86:32:c2:c3:17: e0:03:4a:e3:32:5b:a9:95:7b:0b:52:a4:72:bf:3c:ad:ee:cb: 84:f1:c1:c4:9f:70:e5:23:75:d2:74:af:af:2e:17:c8:c7:f1: 38:fa:86:58:1e:36:44:76:27:d6:73:2f:15:7c:af:75:a9:aa: d9:cf:6c:5c:ac:83:0c:45:61:66:6b:be:5b:fa:98:7b:19:92: 93:90:c7:ae:81:d1:31:de:f6:3c:5d:be:ca:ce:67:0a:c3:23: da:ce:f0:1a
Run the display pki crl filename file-name command to view CRL file acrl.crl.
<HUAWEI> display pki crl filename acrl.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=root4
Last Update: May 5 08:45:59 2011 GMT
Next Update: May 12 21:05:59 2011 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:3D:34:09:72:33:07:8F:5E:75:13:12:72:88:0F:71:02:CA:35:61:4
1
1.3.6.1.4.1.311.21.1:
...
X509v3 CRL Number:
4
1.3.6.1.4.1.311.21.4:
110512085559Z .
2.5.29.46:
0X0V.T.R.&http://win2003-4/CertEnroll/root4+.crl.(file://\\win20
03-4\CertEnroll\root4+.crl
1.3.6.1.4.1.311.21.14:
0..0...........ldap:///CN=root4,CN=win2003-4,CN=CDP,CN=Public%20
Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base
?objectClass=cRLDistributionPoint
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
99:19:e3:2e:8c:24:14:e1:bb:d1:c6:32:e8:54:8d:1c:e4:08:
dc:0d:b1:3d:ca:5f:64:03:df:bc:8d:2f:fb:12:c9:ce:b2:e8:
e6:9b:ac:b0:9e:52:4c:1f:3d:c1:23:d7:cc:b5:50:fc:9b:16:
ab:a3:d9:06:c1:cf:4f:68:8b:aa:aa:82:ab:06:ab:c9:18:64:
0c:29:a0:7c:e4:d2:89:55:f9:c8:b8:53:f5:fe:1a:81:e8:cd:
4c:fd:a8:a4:4c:3d:f2:3e:74:f4:71:d1:a9:c4:ed:38:a0:bb:
5c:90:a4:71:50:72:7b:f5:4b:68:af:68:b7:b0:8d:7d:f5:24:
6d:77
Run the display pki ca_list command to view the CA certificates and CRL in the memory.
<HUAWEI> display pki ca_list
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:e9:dc:41:0d:58:96:95:4d:d1:24:18:e7:7a:67:1f
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=pki1,DC=ipsec
Validity
Not Before: Jun 3 10:17:40 2011 GMT
Not After : Jun 3 10:26:31 2021 GMT
Subject: CN=pki1,DC=ipsec
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c9:4b:de:14:25:17:04:25:6b:63:21:2f:1c:ae:
53:d3:72:15:90:58:58:52:e2:40:83:6f:ed:f7:39:
83:e9:e5:04:fd:78:24:83:54:8c:7f:6d:ad:02:32:
69:5e:b0:2d:4a:1d:e5:da:8e:22:c2:81:e3:13:a7:
d7:42:9b:ca:2e:d9:68:be:7a:02:bb:78:39:75:e3:
11:e8:d5:95:09:f8:b5:4f:2c:8e:b4:f9:81:ba:d5:
2b:7b:9e:ba:90:f4:f4:84:c0:00:9b:4d:4e:6c:a9:
40:54:d2:78:d8:bb:9e:57:63:3a:21:17:eb:4e:74:
62:a8:94:b0:e2:81:a4:16:96:ed:91:e1:da:3f:93:
94:f8:ba:69:d5:3c:fe:55:ab:eb:5a:28:07:b2:98:
5a:32:6c:1b:12:21:b7:f6:10:a2:83:b6:88:af:97:
05:da:34:3e:e0:53:be:55:12:a8:a1:0d:4d:b7:de:
35:b8:51:3b:ec:7f:13:63:c4:76:fe:79:68:1c:74:
c7:30:8f:b1:88:88:dd:5b:4a:20:f2:dd:26:ea:b9:
34:98:2d:13:ff:8a:c4:67:bf:c7:a9:20:21:fa:41:
2b:ab:aa:6d:f8:ba:d2:e8:ba:39:78:bf:b4:8d:6e:
d8:c0:68:ac:bc:cb:48:aa:92:b2:a4:4e:e5:91:31:
03:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:FF
X509v3 CRL Distribution Points:
URI:http://pki-1/CertEnroll/pki1.crl
URI:file://\\pki-1\CertEnroll\pki1.crl
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
50:f5:3b:38:ac:cb:43:c8:a6:c0:3b:b4:a4:6d:d0:87:8f:5e:
6f:b6:f3:be:5b:0c:5a:06:8b:2c:fa:cd:b4:02:f6:2d:7c:56:
88:88:4f:a7:a1:08:da:e0:69:f8:c6:c6:a6:8b:e9:53:4c:0e:
74:55:23:19:dc:23:1f:b2:cc:47:87:04:fc:25:c4:fa:b9:1e:
2f:0c:38:82:af:a7:75:5c:4a:42:8e:7c:eb:ca:36:ef:0b:84:
fc:55:cb:8f:8b:85:cd:31:cf:c3:cd:10:7b:d8:76:40:1a:d5:
3a:75:86:21:0b:f5:97:23:63:8f:09:32:78:18:db:71:32:2d:
03:b9:20:77:a5:dd:e2:0a:39:9a:9f:10:57:56:24:23:44:c8:
9f:e4:33:24:48:df:73:c7:48:2a:89:43:4c:86:32:c2:c3:17:
e0:03:4a:e3:32:5b:a9:95:7b:0b:52:a4:72:bf:3c:ad:ee:cb:
84:f1:c1:c4:9f:70:e5:23:75:d2:74:af:af:2e:17:c8:c7:f1:
38:fa:86:58:1e:36:44:76:27:d6:73:2f:15:7c:af:75:a9:aa:
d9:cf:6c:5c:ac:83:0c:45:61:66:6b:be:5b:fa:98:7b:19:92:
93:90:c7:ae:81:d1:31:de:f6:3c:5d:be:ca:ce:67:0a:c3:23:
da:ce:f0:1a
Run the display pki cert_list command to view local certificates in the memory.
<HUAWEI> display pki cert_list
The x509_obj type is Cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:09:e4:f5:00:00:00:00:00:f5
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=pki1,DC=ipsec
Validity
Not Before: Jul 29 08:24:49 2011 GMT
Not After : Jul 29 08:34:49 2012 GMT
Subject: CN=tou,O=33,L=fd,C=CC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c4:7e:71:fb:42:21:9f:e1:34:2c:a2:bc:61:24:
a3:03:a1:ea:d6:cf:c9:75:d8:02:e0:7a:cf:a1:b1:
f7:b4:b7:f1:15:15:20:47:6c:28:7d:23:46:eb:ca:
0c:bd:fa:0b:16:65:50:55:0c:6c:a9:7d:87:64:5c:
28:71:ab:7c:08:ad:e8:26:18:84:b3:d9:fe:45:d7:
84:8c:2a:26:e4:8a:91:72:2e:59:ca:09:79:5d:39:
ae:01:ce:33:09:09:3a:e0:04:e2:d0:60:a1:75:4e:
82:8b:cf:03:c6:ad:53:f1:c2:e7:92:d0:2b:57:8d:
0a:9b:73:88:59:87:5c:fe:3f:45:56:8a:98:ec:77:
2a:be:ea:b0:b0:ce:b6:14:9f:52:4d:cb:00:e7:f2:
0e:13:38:82:fa:c1:21:54:0b:59:22:c7:bc:cd:b2:
f7:b3:f5:2b:21:28:19:e5:ea:4f:20:52:6f:87:06:
eb:f1:87:7d:95:0f:75:4a:d4:6e:48:ff:7e:a2:a0:
92:b5:ff:47:57:af:61:cd:c1:e2:95:3d:e3:97:e9:
da:ed:a1:47:14:bf:0c:5c:ab:7e:0a:58:0b:29:0e:
49:ca:27:9f:80:c1:46:d1:39:d9:0b:e2:e6:8e:bb:
cd:eb:75:9e:30:02:59:d2:1f:f5:87:a4:80:8a:dc:
4c:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
50:72:F9:97:88:83:CE:6E:AB:25:39:56:DD:B7:C2:05:E1:78:4C:FC
X509v3 Authority Key Identifier:
keyid:41:6C:9D:69:8F:A3:2F:34:46:20:F5:4C:35:2B:CB:D8:CF:C0:73:F
F
X509v3 CRL Distribution Points:
URI:http://pki-1/CertEnroll/pki1.crl
URI:file://\\pki-1\CertEnroll\pki1.crl
Authority Information Access:
CA Issuers - URI:http://pki-1/CertEnroll/pki-1_pki1.crt
CA Issuers - URI:file://\\pki-1\CertEnroll\pki-1_pki1.crt
Signature Algorithm: sha1WithRSAEncryption
99:3e:bf:8c:b7:fb:54:6c:c3:a8:b8:2e:26:6b:7f:67:f7:e5:
67:1c:a7:20:a7:ce:77:c7:9b:38:16:17:28:94:55:b6:db:54:
1c:38:c8:c1:6e:70:81:9b:fa:4c:f9:b0:52:fe:18:72:d8:63:
aa:6e:ec:75:87:c2:d0:6a:b8:93:0a:5f:bf:29:6b:71:b5:a2:
70:bf:c0:ca:b4:12:83:09:c3:34:54:97:84:de:ee:a0:ea:24:
50:f1:e8:d6:73:4f:07:d8:58:7c:c1:c6:52:9b:ca:2a:be:2e:
ca:d3:05:76:d2:00:f0:bd:8e:c6:aa:99:05:0f:60:14:ee:0d:
f6:7e:95:23:ae:63:9b:e4:e3:a0:6a:3f:a2:4f:cf:9f:48:42:
54:fd:80:95:73:fd:c8:49:37:36:c1:a8:5c:65:81:af:4b:07:
32:6d:bb:b8:43:41:86:83:49:0b:1f:6e:4f:56:ab:06:a9:42:
f8:6e:5e:18:c5:94:45:39:b4:0b:b5:20:42:41:ac:a6:f5:b2:
ca:1d:f9:d3:ca:ac:d5:a3:4d:2b:0f:27:3f:db:8a:9f:46:3b:
86:38:72:08:63:aa:2c:c1:86:d6:13:08:5a:84:f0:91:2d:bf:
85:74:c4:6b:67:19:4a:55:8a:3d:37:27:93:75:11:4d:4b:a6:
3f:76:ca:04
Previous
