No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Log Reference

This document provides the explanations, causes, and recommended actions of logs on the product.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI

PKI

PKI/4/GETTING_CA_CERT

Message

PKI/4/GETTING_CA_CERT: Realm [realm_name] is obtaining CA certificate through [protocol]...

Description

The realm was obtaining a CA certificate using SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of a PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

The realm was obtaining a CA certificate using SCEP.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/CA_IMPORT_ERR

Message

PKI/4/CA_IMPORT_ERR: Importing CA certificate file ([file_name]) failed.

Description

Importing a CA certificate failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CA certificate.

Possible Causes

  • The certificate file does not exist.
  • The certificate file name is invalid.
  • The certificate format is incorrect.
  • The certificate storage path is incorrect.
  • The same certificate exists on the device.

Procedure

  1. Run the display pki certificate filename file-name to check whether the certificate exists.

    • If not, use methods such as SFTP to upload the certificate to the storage medium of the device.

    • If so, go to step 2.

  2. Check whether the imported certificate file name meets requirements.

    • If not, change the certificate file name in accordance with requirements.
    • If so, go to step 3.

  3. Run the pki import-certificate ca command to check whether the certificate format selected during certificate import is correct.

    • If not, select the correct certificate format when importing the certificate.
    • If so, go to step 4.

  4. Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.

    • If not, save the certificate to the default storage path.
    • If so, go to step 5.

  5. Run the display pki certificate ca command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.

    • If so, run the pki delete-certificate command in the system view to delete this certificate.
    • If not, go to step 6.

  6. Collect required information and contact technical support personnel.

PKI/4/CA_IMPORT_OK

Message

PKI/4/CA_IMPORT_OK: Importing CA certificate file ([file_name]) succeeded.

Description

Importing a CA certificate succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CA certificate.

Possible Causes

Manually importing a CA certificate succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/CA_WILL_EXPIRED

Message

PKI/4/CA_WILL_EXPIRED: CA certificate ([subject_name]) will expire in [day] days.

Description

A CA certificate was to expire.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a CA certificate.
[day] Specifies the validity period of the CA certificate.

Possible Causes

The CA certificate in the memory was to expire.

Procedure

  • Apply for certificates online using SCEP.

    • If the automatic certificate update function is configured, the device automatically updates certificates using SCEP when the certificates are about to expire or have expired.

      You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

    • If the automatic certificate update function is not configured, run the pki enroll-certificate realm command in the system view to manually update the certificates.

      Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

  • Apply for certificates offline.

    1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.

    2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.

    3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/CA_EXPIRED

Message

PKI/4/CA_EXPIRED: CA certificate ([subject_name]) has expired for [day] days.

Description

A CA certificate expired.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a CA certificate.
[day] Specifies the number of days after a CA certificate expired.

Possible Causes

  • The certificate failed to be updated automatically.
  • The certificate was not updated manually.

Procedure

  • Apply for certificates online using SCEP.

    • If the automatic certificate update function is configured, the device automatically updates certificates using SCEP when the certificates are about to expire or have expired.

      You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

    • If the automatic certificate update function is not configured, run the pki enroll-certificate realm command in the system view to manually update the certificates.

      Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

  • Apply for certificates offline.

    1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.

    2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.

    3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/CA_VALID

Message

PKI/4/CA_VALID: CA certificate ([subject_name]) will be valid in [day] days.

Description

A CA certificate was invalid.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a CA certificate.
[day] Specifies the number of days before a CA certificate takes effect.

Possible Causes

The system time of the device does not reach the start time of the certificate validity period.

Procedure

  1. Run the display clock command to check whether the system time of the device is correct.

    • If not, run the clock datetime command in the user view to change the system time of the device.
    • If so, go to step 2.

  2. Collect required information and contact technical support personnel.

PKI/4/GETTING_CERT

Message

PKI/4/GETTING_CERT: Manually obtaining certificate [file_name] through [protocol]...

Description

Manually obtaining a certificate.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.
[protocol] Specifies the protocol type: HTTP.

Possible Causes

A command was executed to obtain a certificate.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/CLEAR_ALL_KEY

Message

PKI/4/CLEAR_ALL_KEY: PKI was notified to clear all [string] in the device(Reason=[reason]).

Description

PKI was notified to delete all key pairs or certificates in the device.

Parameters

Parameter Name Parameter Meaning
[string] Indicates the key pair or certificate file name.
reason
Deletion reasons:
  • reset factory configuration: A command is executed to restore factory settings at one click.
  • batch back up: Key pairs or certificates on the standby device are deleted during batch backup.

Possible Causes

  • A command is executed to restore factory settings at one click.
  • Key pairs or certificates on the standby device are deleted during batch backup.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_NO_CHECK_ALG

Message

PKI/5/CONFIRM_NO_CHECK_ALG: The user chose [string] when deciding whether to import unsafe certificate.

Description

The user decided whether to import an insecure CA or local certificate.

Parameters

Parameter Name Parameter Meaning
[string] Indicates whether the user chooses to import an insecure certificate: Y/N.

Possible Causes

When the user imported an insecure CA or local certificate, this message was displayed to ask the user whether to continue the operation.

Procedure

  1. This log message is informational only, and no action is required.

PKI/5/CONFIRM_NO_CHECK_VALIDATE

Message

PKI/5/CONFIRM_NO_CHECK_VALIDATE: The user chose [string] when deciding whether to import expired certificate.

Description

The user decided whether to import an expired CA or local certificate.

Parameters

Parameter Name Parameter Meaning
[string] Indicates whether the user chooses to import an expired certificate: Y/N.

Possible Causes

When the user imported an expired CA or local certificate, this message was displayed to ask the user whether to continue the operation.

Procedure

  1. This log message is informational only, and no action is required.

PKI/5/CONFIRM_COVER_PEER_CERT

Message

PKI/5/CONFIRM_COVER_PEER_CERT: The user chose [string] when deciding whether to cover the old peer certificate with the new one.

Description

The user chooses whether to overwrite the old peer certificate.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: overwrites the old peer certificate.
  • N: not overwrite the old peer certificate.

Possible Causes

When a user imports a peer certificate, the same peer certificate already exists on the device.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_CREATE_CERT

Message

PKI/5/CONFIRM_CREATE_CERT: The user chose [string] when deciding whether to create the new certificate.

Description

The user chooses whether to create a self-signed certificate.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: creates a self-signed certificate.
  • N: not create a self-signed certificate.

Possible Causes

A user creates a self-signed certificate.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_DESTROY_RSA

Message

PKI/5/CONFIRM_DESTROY_RSA: The user chose [string] when deciding whether to destroy the RSA key pair.

Description

The user chooses whether to destroy the RSA key pair.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: destroys the RSA key pair.
  • N: not destroy the RSA key pair.

Possible Causes

The user destroys the RSA key pair.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_EXPORT_KEYPAIR

Message

PKI/5/CONFIRM_EXPORT_KEYPAIR: The user chose [string] when deciding whether to export key pair.

Description

The user chooses whether to export the key pair.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: exports the key pair.
  • N: not export the key pair.

Possible Causes

The user exports the key pair.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_FINGERPRINT

Message

PKI/5/CONFIRM_FINGERPRINT: The user chose [string] when deciding whether the fingerprint is correct.

Description

The user confirms whether the CA certificate fingerprint is correct.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: indicates that the fingerprint is correct.
  • N: indicates that the fingerprint is incorrect.

Possible Causes

The user imports a CA certificate in the PKI domain.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_OVERWRITE_FILE

Message

PKI/5/CONFIRM_OVERWRITE_FILE: The user chose [string] when deciding whether to overwrite the exist file.

Description

The user confirms whether to overwrite an existing certificate file.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: overwrites an existing certificate file.
  • N: not overwrite an existing certificate file.

Possible Causes

When exporting a certificate file, the user uses an existing certificate file name.

Procedure

  1. This log is informational only, and no action is required.

PKI/5/CONFIRM_OVERWRITE_RSA

Message

PKI/5/CONFIRM_OVERWRITE_RSA: The user chose [string] when deciding whether to overwrite the old RSA key pair.

Description

The user chooses whether to overwrite the old RSA key pair.

Parameters

Parameter Name Parameter Meaning
string Indicates the operation chosen by the user:
  • Y: overwrites the old RSA key pair.
  • N: not overwrite the old RSA key pair.

Possible Causes

When creating an RSA key pair, the user uses an existing RSA key pair name.

Procedure

  1. This log is informational only, and no action is required.

PKI/4/CRL_IMPORT_ERR

Message

PKI/4/CRL_IMPORT_ERR: Importing CRL file ([file_name]) failed.

Description

Importing a CRL failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CRL.

Possible Causes

  • The CRL file does not exist.
  • The CRL file name is invalid.
  • The CRL file format is incorrect.
  • The CRL file storage path is incorrect.

Procedure

  1. Run the display pki crl filename file-name to check whether the CRL file exists.

    • If not, use methods such as SFTP to upload the CRL file to the storage medium of the device.
    • If so, go to step 2.

  2. Check whether the CRL file name meets requirements.

    • If not, change the CRL file name in accordance with requirements.
    • If so, go to step 3.

  3. Check whether the CRL file format is correct.

    • If not, use the CRL file format supported by the device, for example, DER and PEM.
    • If so, go to step 4.

  4. Run the dir and display pki credential-storage-path commands in the user view to check whether the CRL file storage path is the same as the default storage path of the CRL file.

    • If not, save the CRL file to the default storage path.
    • If so, go to step 5.

  5. Collect required information and contact technical support personnel.

PKI/4/CRL_IMPORT_OK

Message

PKI/4/CRL_IMPORT_OK: Importing CRL file ([file_name]) succeeded.

Description

Importing a CRL succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CRL.

Possible Causes

Importing a CRL succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/CRL_WILL_EXPIRED

Message

PKI/4/CRL_WILL_EXPIRED: CRL ([issuer_name]) will expire in [day] days.

Description

A CRL was to expire.

Parameters

Parameter Name Parameter Meaning
[issuer_name] Specifies the name of the CRL issuer.
[day] Specifies the validity period of the CRL.

Possible Causes

The CRL in the memory was to expire.

Procedure

  • Automatic CRL update
    1. Check the link between the device and CRL distribution server.

      If the link is not working properly, ensure that it is working properly.

    2. Check whether automatic CRL update is enabled.

      If automatic CRL update is disabled, run the crl auto-update enable command in the PKI realm view to enable it.

    3. Check whether the CRL-related PKI configuration is correct, including the URL of the CRL distribution point (CDP) and CRL update mode.

      If the configuration is incorrect, modify the configuration to ensure that it is correct.

  • Manual CRL update
    1. Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
    2. Run the pki import-crl command in the system view to import the CRL to the device memory.

PKI/4/CRL_EXPIRED

Message

PKI/4/CRL_EXPIRED: CRL ([issuer_name]) has expired for [day] days.

Description

A CRL expired.

Parameters

Parameter Name Parameter Meaning
[issuer_name] Specifies the name of the CRL issuer.
[day] Specifies the number of days after the CRL expired.

Possible Causes

  • The device failed to automatically update the CRL.
  • The CRL was not updated manually.

Procedure

  • Automatic CRL update
    1. Check the link between the device and CRL distribution server.

      If the link is not working properly, ensure that it is working properly.

    2. Check whether automatic CRL update is enabled.

      If automatic CRL update is disabled, run the crl auto-update enable command in the PKI realm view to enable it.

    3. Check whether the CRL-related PKI configuration is correct, including the URL of the CRL distribution point (CDP) and CRL update mode.

      If the configuration is incorrect, modify the configuration to ensure that it is correct.

  • Manual CRL update
    1. Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
    2. Run the pki import-crl command in the system view to import the CRL to the device memory.

PKI/4/CRL_VALID

Message

PKI/4/CRL_VALID: CRL ([issuer_name]) will be valid in [day] days.

Description

A CRL was invalid.

Parameters

Parameter Name Parameter Meaning
[issuer_name] Specifies the name of the CRL issuer.
[day] Specifies the number of days before the CRL takes effect.

Possible Causes

The system time of the device does not reach the start time of the CRL validity period.

Procedure

  1. Run the display clock command to check whether the system time of the device is correct.

    • If not, run the clock datetime command in the user view to change the system time of the device.
    • If so, go to step 2.

  2. Collect required information and contact technical support personnel.

PKI/4/DEL_CA_ERR

Message

PKI/4/DEL_CA_ERR: Deleting CA certificate file ([file_name]) failed.

Description

Deleting a CA certificate failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.

Possible Causes

  • The CA certificate does not exist.
  • The CA certificate is being used by services.

Procedure

  1. Run the display pki certificate ca to check whether the CA certificate exists.

    • If not, confirm whether to delete another certificate.
    • If so, go to step 2.

  2. Check whether this certificate is being used by services.

    • If so, ensure that this certificate is not being used by services before deleting the certificate.
    • If not, go to step 3.

  3. Collect required information and contact technical support personnel.

PKI/4/DEL_CA_OK

Message

PKI/4/DEL_CA_OK: Deleting CA certificate file ([file_name]) succeeded.

Description

Deleting a CA certificate succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.

Possible Causes

Deleting a CA certificate from the memory succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/DEL_CRL_OK

Message

PKI/4/DEL_CRL_OK: Deleting CRL file ([file_name]) succeeded.

Description

Deleting a CRL succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CRL.

Possible Causes

Deleting a CRL from the memory succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/DEL_CRL_ERR

Message

PKI/4/DEL_CRL_ERR: Deleting CRL file ([file_name]) failed.

Description

Deleting a CRL failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CRL.

Possible Causes

The CRL does not exist.

Procedure

  1. Run the display pki crl to check whether the CRL exists.

    • If not, confirm whether to delete another CRL.
    • If so, go to step 2.

  2. Collect required information and contact technical support personnel.

PKI/4/DEL_LOCAL_ERR

Message

PKI/4/DEL_LOCAL_ERR: Deleting local certificate file ([file_name]) failed.

Description

Deleting a local certificate failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.

Possible Causes

  • The local certificate does not exist.
  • The local certificate is being used by services.

Procedure

  1. Run the display pki certificate local to check whether the local certificate exists.

    • If not, confirm whether to delete another certificate.
    • If so, go to step 2.

  2. Check whether this certificate is being used by services.

    • If so, ensure that this certificate is not being used by services before deleting the certificate.
    • If not, go to step 3.

  3. Collect required information and contact technical support personnel.

PKI/4/DEL_LOCAL_OK

Message

PKI/4/DEL_LOCAL_OK: Deleting local certificate file ([file_name]) succeeded.

Description

Deleting a local certificate succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.

Possible Causes

Deleting a local certificate from the memory succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/DEL_PEER_ERR

Message

PKI/4/DEL_PEER_ERR: Deleting PEER certificate file ([string]) failed.

Description

A peer certificate failed to be deleted.

Parameters

Parameter Name Parameter Meaning
[string] Specifies the name of a peer certificate file.

Possible Causes

  • The peer certificate does not exist.
  • The peer certificate is being used by services.

Procedure

  1. Run the display pki peer-certificate to check whether the peer certificate exists.

    • If not, confirm whether to delete another certificate.
    • If so, go to step 2.

  2. Check whether this certificate is being used by services.

    • If so, ensure that this certificate is not being used by services before deleting the certificate.
    • If not, go to step 3.

  3. Collect required information and contact technical support personnel.

PKI/4/DEL_PEER_OK

Message

PKI/4/DEL_PEER_OK: Deleting PEER certificate file ([string]) succeeded.

Description

A PEER certificate succeeded to be deleted.

Parameters

Parameter Name Parameter Meaning
[string] Specifies the name of a PEER certificate file.

Possible Causes

A PEER certificate succeeded to be deleted.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/CA_EXPORT_ERR

Message

PKI/4/CA_EXPORT_ERR: Exporting CA certificate file ([string]) failed.

Description

Failed to export a CA certificate file.

Parameters

Parameter Name Parameter Meaning
string Specifies the name of a CA certificate file.

Possible Causes

  • The CA certificate does not exist.

  • The storage space is full.

Procedure

  1. Run the display pki certificate ca to check whether the CA certificate exists.

    • If not, obtain a CA certificate from the CA.
    • If so, go to step 2.

  2. Run the dir command to check whether the storage space of the device is full.

    • If so, delete unnecessary files to clear the storage space.
    • If not, go to step 3.

  3. Collect required information and contact technical support personnel.

PKI/4/CA_EXPORT_OK

Message

PKI/4/CA_EXPORT_OK: Exporting CA certificate file ([string]) succeeded.

Description

A CA certificate file is exported successfully.

Parameters

Parameter Name Parameter Meaning
string Specifies the name of a CA certificate file.

Possible Causes

A CA certificate is exported successfully.

Procedure

  1. This log is informational only, and no action is required.

PKI/4/LOCAL_EXPORT_ERR

Message

PKI/4/LOCAL_EXPORT_ERR: Exporting local certificate file ([string]) failed.

Description

Failed to export a local certificate file.

Parameters

Parameter Name Parameter Meaning
string Specifies the name of a local certificate file.

Possible Causes

  • The local certificate does not exist.

  • The storage space is full.

  • No private key file name is entered when the local certificate is being exported.

  • The entered private key password does not meet requirements when the local certificate is being exported.

Procedure

  1. Run the display pki certificate local to check whether the local certificate exists.

    • If not, obtain or apply for a CA certificate from the CA.
    • If so, go to step 2.

  2. Run the dir command to check whether the storage space of the device is full.

    • If so, delete unnecessary files to clear the storage space.
    • If not, go to step 3.

  3. Check whether the private key file name and password need to be entered when exporting the local certificate.

    • If so, enter the private key file name and password as required.
    • If not, go to step 4.

  4. Collect required information and contact technical support personnel.

PKI/4/LOCAL_EXPORT_OK

Message

PKI/4/LOCAL_EXPORT_OK: Exporting local certificate file ([string]) succeeded.

Description

A local certificate file is exported successfully.

Parameters

Parameter Name Parameter Meaning
string Specifies the name of a local certificate file.

Possible Causes

A local certificate file is exported successfully.

Procedure

  1. This log is informational only, and no action is required.

PKI/4/GET_CA_CERT_ERR

Message

PKI/4/GET_CA_CERT_ERR: Realm [realm_name] failed to get CA certificate through [protocol].

Description

Failed to obtain the CA certificate through SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of the PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

  • The link between the device and CA server is Down.
  • The CA server is not working properly.
  • The PKI configuration is incorrect.

Procedure

  1. Run the ping command to check whether the link between the device and CA server is reachable.

    • If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
    • If so, go to step 2.

  2. Check whether the CA server is working properly.

    • If not, ensure that the CA server has the certificate service enabled and is working properly.
    • If so, go to step 3.

  3. Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.

    • If not, modify the configuration to ensure that it is correct.
    • If so, go to step 4.

  4. Collect required information and contact technical support personnel.

PKI/5/GET_CA_CERT_OK

Message

PKI/5/GET_CA_CERT_OK: Realm [realm_name] succeeded in getting CA certificate through [protocol].

Description

Succeeded in obtaining the CA certificate through SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of the PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

Succeeded in obtaining the CA certificate through SCEP.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/GET_CERT_ERR

Message

PKI/4/GET_CERT_ERR: Manually obtaining certificate [file_name] through [protocol] failed.

Description

Obtaining a certificate manually failed.

Parameters

Parameter Name Parameter Meaning
file_name Specifies the name of a certificate file.
protocol Specifies the protocol type: HTTP or SCEP.

Possible Causes

  • The link between the device and certificate server is Down.
  • The certificate server is not working properly.
  • The HTTP or SCEP configuration is incorrect.

Procedure

  1. Run the ping command to check whether the link between the device and certificate server is reachable.

    • If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
    • If so, go to step 2.

  2. Check whether the certificate server is working properly.

    • If not, ensure that the certificate server has the certificate service enabled and is working properly.
    • If so, go to step 3.

  3. Check whether the HTTP or SCEP configuration is correct, for example, the URL.

    • If not, modify the configuration to ensure that it is correct.
    • If so, go to step 4.

  4. Collect required information and contact technical support personnel.

PKI/5/GET_CERT_OK

Message

PKI/5/GET_CERT_OK: Manually obtaining certificate [file_name] through [protocol] succeeded.

Description

Obtaining a certificate succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the name of a certificate file.
[protocol] Specifies the protocol type: HTTP.

Possible Causes

Obtaining a certificate succeeded by running command pki http.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/GETTING_CRL

Message

PKI/4/GETTING_CRL: Realm [realm_name] is getting CRL through [protocol]...

Description

The realm is getting CRL automatically.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the PKI realm name.
[protocol] Specifies the protocol type: HTTP, or SCEP.

Possible Causes

The realm is getting CRL automatically.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/GET_CRL_ERR

Message

PKI/4/GET_CRL_ERR: Realm [realm_name] failed to obtain CRL through [protocol].

Description

Failed to obtain the CRL certificate.

Parameters

Parameter Name Parameter Meaning
realm_name Specifies the name of the PKI realm.
protocol Specifies the protocol type: HTTP or SCEP.

Possible Causes

  • The link between the device and CRL server is Down.
  • The CRL server is not working properly.
  • The PKI configuration is incorrect.

Procedure

  1. Run the ping command to check whether the link between the device and CRL server is reachable.

    • If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
    • If so, go to step 2.

  2. Check whether the CRL server is working properly.

    • If not, ensure that the CRL server has the CRL service enabled and is working properly.
    • If so, go to step 3.

  3. Check whether the PKI configuration is correct, including the URL of the CDP and CRL update mode.

    • If not, modify the configuration to ensure that it is correct.
    • If so, go to step 4.

  4. Collect required information and contact technical support personnel.

PKI/5/GET_CRL_OK

Message

PKI/5/GET_CRL_OK: Realm [realm_name] succeeded in obtaining CRL through [protocol].

Description

Succeeded in obtaining the CRL certificate.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of the PKI realm.
[protocol] Specifies the protocol type: HTTP or SCEP.

Possible Causes

Succeeded in obtaining the CRL certificate through HTTP or SCEP.

Procedure

  1. This log message is informational only, and no action is required.

PKI/5/GET_LOCAL_CERT_OK

Message

PKI/5/GET_LOCAL_CERT_OK: Realm [realm_name] succeeded in getting local certificate through [protocol].

Description

Succeeded in obtaining the local certificate through SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of the PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

Succeeded in obtaining the local certificate through SCEP.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/GET_LOCAL_CERT_ERR

Message

PKI/4/GET_LOCAL_CERT_ERR: Realm [realm_name] failed to get local certificate through [protocol].

Description

Failed to obtain the local certificate through SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of the PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

  • The link between the device and CA server is Down.
  • The CA server is not working properly.
  • No CA and RA certificates are installed on the device.
  • The PKI configuration is incorrect.

Procedure

  1. Run the ping command to check whether the link between the device and CA server is reachable.

    • If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
    • If so, go to step 2.

  2. Check whether the CA server is working properly.

    • If not, ensure that the CA server has the certificate service enabled and is working properly.
    • If so, go to step 3.

  3. Check whether the CA and RA certificates have been installed.

    • If not, install the CA and RA certificates and ensure that the certificates are within the validity period.
    • If so, and the CA and RA certificates are not within the validity period, update the CA and RA certificates.
    • If so, and the CA and RA certificates are within the validity period, go to step 4.

  4. Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.

    • If not, modify the configuration to ensure that it is correct.
    • If so, go to step 5.

  5. Collect required information and contact technical support personnel.

PKI/4/KEY_IMPORT_FAILED

Message

PKI/4/KEY_IMPORT_FAILED: Importing [key_type] key pair [key_name] failed (Reason=[reason]).

Description

The key pair failed to be imported.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Name of the key pair.
reason Reason of the key pair import failure.

Possible Causes

saving key pairs failed: The key pair fails to be saved.

Procedure

  1. Check whether the storage media is available. If not, use an available storage media.
  2. Check whether the storage space is full. If so, delete unnecessary files.

PKI/4/KEY_IMPORT_OK

Message

PKI/4/KEY_IMPORT_OK: Importing [key_type] key pair [key_name] succeeded.

Description

The key pair was successfully imported.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Specifies the name of a key pair.

Possible Causes

The key pair was successfully imported.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/GETTING_LOCAL_CERT

Message

PKI/4/GETTING_LOCAL_CERT: Realm [realm_name] is getting local certificate through [protocol]...

Description

The realm was obtaining a local certificate using SCEP.

Parameters

Parameter Name Parameter Meaning
[realm_name] Specifies the name of a PKI realm.
[protocol] Specifies the protocol type: SCEP.

Possible Causes

A command was executed to obtain a local certificate using SCEP.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/LOCAL_IMPORT_ERR

Message

PKI/4/LOCAL_IMPORT_ERR: Importing local certificate file ([file_name]) failed.

Description

Importing a local certificate failed.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a local certificate.

Possible Causes

  • The certificate file does not exist.
  • The certificate file name is invalid.
  • The certificate format is incorrect.
  • The certificate storage path is incorrect.
  • The same certificate exists on the device.

Procedure

  1. Run the display pki certificate filename file-name to check whether the certificate exists.

    • If not, use methods such as SFTP to upload the certificate to the storage medium of the device.

    • If so, go to step 2.

  2. Check whether the imported certificate file name meets requirements.

    • If not, change the certificate file name in accordance with requirements.
    • If so, go to step 3.

  3. Run the pki import-certificate local command to check whether the certificate format selected during certificate import is correct.

    • If not, select the correct certificate format when importing the certificate.
    • If so, go to step 4.

  4. Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.

    • If not, save the certificate to the default storage path.
    • If so, go to step 5.

  5. Run the display pki certificate local command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.

    • If so, run the pki delete-certificate command in the system view to delete this certificate.
    • If not, go to step 6.

  6. Collect required information and contact technical support personnel.

PKI/4/LOCAL_IMPORT_OK

Message

PKI/4/LOCAL_IMPORT_OK: Importing local certificate file ([file_name]) succeeded.

Description

Importing a local certificate succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a local certificate.

Possible Causes

Importing a local certificate succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/LOCAL_WILL_EXPIRED

Message

PKI/4/LOCAL_WILL_EXPIRED: LOCAL certificate ([subject_name]) will expire in [day] days.

Description

A local certificate was to expire.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a local certificate.
[day] Specifies the validity period of the local certificate.

Possible Causes

The local certificate in the memory was to expire.

Procedure

  • Apply for certificates online using SCEP.

    • If the automatic certificate update function is configured, the device automatically updates certificates using SCEP when the certificates are about to expire or have expired.

      You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

    • If the automatic certificate update function is not configured, run the pki enroll-certificate realm command in the system view to manually update the certificates.

      Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

  • Apply for certificates offline.

    1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.

    2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.

    3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/LOCAL_EXPIRED

Message

PKI/4/LOCAL_EXPIRED: LOCAL certificate ([subject_name]) has expired for [day] days.

Description

A local certificate expired.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a local certificate.
[day] Specifies the number of days after a local certificate expired.

Possible Causes

  • The certificate failed to be updated automatically.
  • The certificate was not updated manually.

Procedure

  • Apply for certificates online using SCEP.

    • If the automatic certificate update function is configured, the device automatically updates certificates using SCEP when the certificates are about to expire or have expired.

      You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

    • If the automatic certificate update function is not configured, run the pki enroll-certificate realm command in the system view to manually update the certificates.

      Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.

  • Apply for certificates offline.

    1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.

    2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.

    3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/LOCAL_VALID

Message

PKI/4/LOCAL_VALID: LOCAL certificate ([subject_name]) will be valid in [day] days.

Description

A local certificate was invalid.

Parameters

Parameter Name Parameter Meaning
[subject_name] Specifies the subject of a local certificate.
[day] Specifies the number of days before a local certificate takes effect.

Possible Causes

The system time of the device does not reach the start time of the certificate validity period.

Procedure

  1. Run the display clock command to check whether the system time of the device is correct.

    • If not, run the clock datetime command in the user view to change the system time of the device.
    • If so, go to step 2.

  2. Collect required information and contact technical support personnel.

PKI/4/GET_CRL_ERR

Message

PKI/4/GET_CRL_ERR: Manually obtaining CRL [file_name] through [protocol] failed.

Description

Obtaining a CRL manually failed.

Parameters

Parameter Name Parameter Meaning
file_name Specifies the file name of a CRL.
protocol Specifies the protocol type: HTTP or SCEP.

Possible Causes

  • The link between the device and CRL server is Down.
  • The CRL server is not working properly.
  • The HTTP or SCEP configuration is incorrect.

Procedure

  1. Run the ping command to check whether the link between the device and CRL server is reachable.

    • If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
    • If so, go to step 2.

  2. Check whether the CRL server is working properly.

    • If not, ensure that the CRL server has the CRL service enabled and is working properly.
    • If so, go to step 3.

  3. Check whether the HTTP or SCEP configuration is correct, for example, the URL.

    • If not, modify the configuration to ensure that it is correct.
    • If so, go to step 4.

  4. Collect required information and contact technical support personnel.

PKI/5/GET_CRL_OK

Message

PKI/5/GET_CRL_OK: Manually obtaining CRL [file_name] through [protocol] succeeded.

Description

Obtaining a CRL succeeded.

Parameters

Parameter Name Parameter Meaning
[file_name] Specifies the file name of a CRL.
[protocol] Specifies the protocol type: HTTP.

Possible Causes

Obtaining a CRL succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/OCSP_IMPORT_OK

Message

PKI/4/OCSP_IMPORT_OK: Importing OCSP certificate file ([string]) succeeded.

Description

The OCSP certificate succeeded to be imported.

Parameters

Parameter Name Parameter Meaning
[string] Specifies the name of an OCSP certificate file.

Possible Causes

The OCSP certificate succeeded to be imported.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/PEER_IMPORT_ERR

Message

PKI/4/PEER_IMPORT_ERR: Importing PEER certificate file ([string]) failed.

Description

The peer certificate failed to be imported.

Parameters

Parameter Name Parameter Meaning
[string] Specifies the name of a peer certificate file.

Possible Causes

  • The certificate file does not exist.
  • The certificate file name is invalid.
  • The certificate format is incorrect.
  • The certificate storage path is incorrect.
  • The same certificate exists on the device.

Procedure

  1. Run the display pki certificate filename file-name to check whether the certificate exists.

    • If not, use methods such as SFTP to upload the certificate to the storage medium of the device.

    • If so, go to step 2.

  2. Check whether the imported certificate file name meets requirements.

    • If not, change the certificate file name in accordance with requirements.
    • If so, go to step 3.

  3. Run the pki import-certificate peer command to check whether the certificate format selected during certificate import is correct.

    • If not, select the correct certificate format when importing the certificate.
    • If so, go to step 4.

  4. Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.

    • If not, save the certificate to the default storage path.
    • If so, go to step 5.

  5. Run the display pki peer-certificate command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.

    • If so, run the pki release-certificate peer command in the system view to delete this certificate.
    • If not, go to step 6.

  6. Collect required information and contact technical support personnel.

PKI/4/PEER_IMPORT_OK

Message

PKI/4/PEER_IMPORT_OK: Importing PEER certificate file ([string]) succeeded.

Description

The PEER certificate succeeded to be imported.

Parameters

Parameter Name Parameter Meaning
[string] Specifies the name of a PEER certificate file.

Possible Causes

The PEER certificate succeeded to be imported.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_CREATE

Message

PKI/4/RSA_CREATE: RSA local key pair [key_name] will be created. The key has [key_bit] bits.

Description

An RSA key pair was created.

Parameters

Parameter Name Parameter Meaning
[key_name] Specifies the name of an RSA key pair.
[key_bit] Specifies the number of bits in the RSA key pair.

Possible Causes

Command pki rsa local-key-pair create was executed to create an RSA key pair.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_CREATE_FAILED

Message

PKI/4/RSA_CREATE_FAILED: Creating [key_type] local key pair [key_name] failed.

Description

Creating a key pair failed.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Specifies the name of a key pair.

Possible Causes

The number of existing key pairs has reached the limit.

Procedure

  1. Delete unnecessary key pairs.
  2. If the fault persists, collect related information and contact technical support personnel.

PKI/4/RSA_CREATE_OK

Message

PKI/4/RSA_CREATE_OK: Creating [key_type] local key pair [key_name] succeeded.

Description

Creating a key pair succeeded.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Specifies the name of a key pair.

Possible Causes

Creating a key pair succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_DESTROY

Message

PKI/4/RSA_DESTROY: RSA local key pair [key_name] will be deleted.

Description

An RSA key pair was to be deleted.

Parameters

Parameter Name Parameter Meaning
[key_name] Specifies the name of an RSA key pair.

Possible Causes

A command was executed to delete an RSA key pair.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_DESTROY_FAILED

Message

PKI/4/RSA_DESTROY_FAILED: Deleting [key_type] local key pair [key_name] failed.

Description

Deleting a key pair failed.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Specifies the name of a key pair.

Possible Causes

  • The key pair does not exist.
  • The key pair is being used by services.

Procedure

  1. Check whether the key pair exists on the device. For example, run the display pki rsa local-key-pair public command to view RSA key pair information.

    • If not, confirm whether to delete another RSA key pair.
    • If so, go to step 2.

  2. Check whether the key pair is being used by services. For example, check whether it is being referenced by the PKI realm.

    • If so, ensure that the key pair is not used by any services.
    • If not, go to step 3.

  3. Collect required information and contact technical support personnel.

PKI/4/RSA_DESTROY_SUCCEED

Message

PKI/4/RSA_DESTROY_SUCCEED: Deleting [key_type] local key pair [key_name] succeeded.

Description

Deleting a key pair succeeded.

Parameters

Parameter Name Parameter Meaning
key_type Key pair type.
key_name Specifies the name of a key pair.

Possible Causes

Deleting a key pair succeeded.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_REPLACE

Message

PKI/4/RSA_REPLACE: RSA local key pair [key_name] will be replaced by a new one.

Description

An RSA key pair was to be replaced.

Parameters

Parameter Name Parameter Meaning
[key_name] Specifies the name of an RSA key pair.

Possible Causes

After a user ran a command to create a RSA key pair, a message indicating that the name of the key pair had already existed was displayed. The user chose to overwrite the original key pair.

Procedure

  1. This log message is informational only, and no action is required.

PKI/4/RSA_SAVE_FAILED

Message

PKI/4/RSA_SAVE_FAILED: Saving RSA local key pair [key_name] failed.

Description

Saving an RSA key pair failed.

Parameters

Parameter Name Parameter Meaning
[key_name] Specifies the name of an RSA key pair.

Possible Causes

Saving an RSA key pair failed.

Procedure

  1. Collect required information and contact technical support personnel.

PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR

Message

PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR: Updating the local certificate ([certificate-name]) through SCEP failed.

Description

The local certificate failed to be updated through SCEP.

Parameters

Parameter Name Parameter Meaning
certificate-name Indicates the name of a local certificate.

Possible Causes

The device failed to communicate with the CA server.

Procedure

  1. Check whether the route between the device and CA server is reachable using the ping function.

    • If the route between them is reachable, go to step 2.
    • If the route between them is unreachable, rectify the route and link fault to ensure a reachable route.

  2. Check whether the PKI configuration on the CA server is correct. The configuration includes the URL, CA name, digest method used for the signed certificate enrollment requests, challenge password used in SCEP certificate application, and digital fingerprint of the CA certificate.

    • If the configuration is incorrect, correct the configuration.
    • If the configuration is correct, go to step 3.

  3. Collect log and configuration information, and contact technical support personnel.

PKI/5/SCEP_UPDATE_LOCAL_CERT_OK

Message

PKI/5/SCEP_UPDATE_LOCAL_CERT_OK: Updating the local certificate ([certificate-name]) through SCEP succeeded.

Description

The local certificate was updated successfully through SCEP.

Parameters

Parameter Name Parameter Meaning
certificate-name Indicates the name of a local certificate.

Possible Causes

After the SCEP-based automatic certificate update function was enabled, the switch successfully updated the local certificate when the update time arrived.

Procedure

  1. This log is informational only, and no action is required.

PKI/4/YANG_CERT_UPDATE_ERR

Message

PKI/4/YANG_CERT_UPDATE_ERR: Updating the [certificate-type] certificate (realm=[realm-name]) through controller failed (ReasonCode=[reason-code],Reason=[reason]).

Description

The certificate failed to be updated through the controller.

Parameters

Parameter Name Parameter Meaning
certificate-type Certificate type
realm-name PKI realm name
reason-code Reason code of the certificate update failure:
  • 3: Invalid realm
  • 4: Shadow certificate does not exist
  • 5: Refreshing certificate failed
  • 6: Replacing key failed
  • 7: Certificate file does not exist
  • 8: Parsing file content failed
  • 9: Unsupported fileformat
  • 11: Saving shadow certificate failed
  • 12: Getting key of certificate Failed
  • 13: Saving shadow key failed
  • 14: Saving certificate file failed
  • 15: Importing certificate file failed
  • 16: Importing key failed
  • 18: Replacing certificate does not exist
  • 19: Invalid certificate path
  • 20: Unsupported operation
reason Reason of the certificate update failure:
  • Invalid realm
  • Shadow certificate does not exist
  • Refreshing certificate failed
  • Replacing key failed
  • Certificate file does not exist
  • Parsing file content failed
  • Unsupported fileformat
  • Saving shadow certificate failed
  • Getting key of certificate Failed
  • Saving shadow key failed
  • Saving certificate file failed
  • Importing certificate file failed
  • Importing key failed
  • Replacing certificate does not exist
  • Invalid certificate path
  • Unsupported operation

Possible Causes

For details, see reasons of failed to update a certificate.

Procedure

  • Invalid realm

    Check whether the realm name is created or valid. For details about the PKI realm name specifications, see the pki realm command.

  • Shadow certificate does not exist

    Check whether the shadow certificate exists. If not, import it first.

  • Refreshing certificate failed, Replacing key failed, Saving shadow certificate failed, Saving shadow key failed, Saving certificate file failed, or Importing key failed

    Check whether the storage space on the device is full. If so, delete unnecessary files. If not, enable debugging of the PKI module in the user view and check debugging information to locate the fault, or contact technical support personnel.

  • Certificate file does not exist or Replacing certificate does not exist

    Check whether the certificate file or certificate has been imported to the storage media of the device.

  • Parsing file content failed

    Check whether file format is correct.

  • Unsupported fileformat

    The device does not support this file format. Import a certificate file in the PEM format.

  • Getting key of certificate Failed

    Check whether the key pair corresponding to the certificate has been imported.

  • Importing certificate file failed

    Check whether the number of certificates reaches the maximum. If so, delete unused certificates.

  • Other reasons.

    Contact technical support personnel.

PKI/4/YANG_CERT_UPDATE_OK

Message

PKI/4/YANG_CERT_UPDATE_OK: Updating the [certificate-type] certificate (realm=[realm-name]) through controller succeeded.

Description

The certificate was successfully updated through the controller.

Parameters

Parameter Name Parameter Meaning
certificate-type Certificate type.
realm-name PKI realm name.

Possible Causes

The certificate was successfully updated through the controller.

Procedure

  1. This log message is informational only, and no action is required.
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065665

Views: 5639

Downloads: 15

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next