No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



Using the pki-realm command, you can specify a public key infrastructure (PKI) domain in an SSL policy.

Using the undo pki-realm command, you can delete the PKI domain from the SSL policy.

By default, no PKI domain is specified for an SSL policy on the AP.


pki-realm realm-name

undo pki-realm






Specifies the name of a PKI domain.

The PKI domain name must already exist.


Client SSL policy view, server SSL policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command specifies a PKI domain in an SSL policy. A PKI domain has different functions when it is specified in a server SSL policy and a client SSL policy:

  • After a PKI domain is specified in the server SSL policy view, the AP functioning as an SSL server obtains a digital certificate from the certificate authority (CA) specified in the PKI domain. Then SSL clients authenticate the AP by checking the digital certificate.
  • After a PKI domain is specified in the client SSL policy view, the AP functioning as an SSL client obtains a CA certificate chain from the CA specified in the PKI domain. If SSL server authentication is enabled by using the server-verify enable command, the AP authenticates the SSL server using the CA certificate chain.


A PKI domain has been created.


When the SSL policy is referenced by another configuration, you cannot modify the configuration using the pki-realm command.

When functioning as an SSL server, the AP is authenticated by SSL clients, but it cannot authenticate SSL clients.

When functioning as an SSL client, the AP does not allow SSL servers to authenticate it, but it can authenticate SSL servers.


# Configure a client SSL policy to use the PKI domain client-realm.

<Huawei> system-view
[Huawei] ssl policy users type client
[Huawei-ssl-policy-users] pki-realm client-realm
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 248251

Downloads: 140

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next