PKI - S7700 V200R019C10 Log Reference

S7700 V200R019C10 Log Reference

This document provides the explanations, causes, and recommended actions of logs on the product.

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

PKI

PKI/4/GETTING_CA_CERT
PKI/4/CA_IMPORT_ERR
PKI/4/CA_IMPORT_OK
PKI/4/CA_WILL_EXPIRED
PKI/4/CA_EXPIRED
PKI/4/CA_VALID
PKI/4/GETTING_CERT
PKI/4/CLEAR_ALL_KEY
PKI/4/CMP_UPDATE_LOCAL_CERT_ERR
PKI/5/CMP_UPDATE_LOCAL_CERT_OK
PKI/5/CONFIRM_NO_CHECK_ALG
PKI/5/CONFIRM_NO_CHECK_VALIDATE
PKI/5/CONFIRM_COVER_OCSP_CERT
PKI/5/CONFIRM_COVER_PEER_CERT
PKI/5/CONFIRM_CREATE_CERT
PKI/5/CONFIRM_DESTROY_RSA
PKI/5/CONFIRM_EXPORT_KEYPAIR
PKI/5/CONFIRM_FINGERPRINT
PKI/5/CONFIRM_OVERWRITE_FILE
PKI/5/CONFIRM_OVERWRITE_RSA
PKI/4/CRL_IMPORT_ERR
PKI/4/CRL_IMPORT_OK
PKI/4/CRL_WILL_EXPIRED
PKI/4/CRL_EXPIRED
PKI/4/CRL_VALID
PKI/4/DEL_CA_ERR
PKI/4/DEL_CA_OK
PKI/4/DEL_CRL_OK
PKI/4/DEL_CRL_ERR
PKI/4/DEL_LOCAL_ERR
PKI/4/DEL_LOCAL_OK
PKI/4/DEL_OCSP_ERR
PKI/4/DEL_OCSP_OK
PKI/4/DEL_PEER_ERR
PKI/4/DEL_PEER_OK
PKI/4/CA_EXPORT_ERR
PKI/4/CA_EXPORT_OK
PKI/4/LOCAL_EXPORT_ERR
PKI/4/LOCAL_EXPORT_OK
PKI/4/GET_CA_CERT_ERR
PKI/5/GET_CA_CERT_OK
PKI/4/GET_CA_CHAIN_ERR
PKI/4/GET_CERT_ERR
PKI/5/GET_CERT_OK
PKI/4/GETTING_CRL
PKI/4/GET_CRL_ERR
PKI/5/GET_CRL_OK
PKI/5/GET_LOCAL_CERT_OK
PKI/4/GET_LOCAL_CERT_ERR
PKI/4/HTTP_AUTO_GET_CRL_ERR
PKI/4/HTTP_GET_CERT_ERR
PKI/4/HTTP_GET_CRL_ERR
PKI/4/KEY_IMPORT_FAILED
PKI/4/KEY_IMPORT_OK
PKI/4/GETTING_LOCAL_CERT
PKI/4/LOCAL_IMPORT_ERR
PKI/4/LOCAL_IMPORT_OK
PKI/4/LOCAL_WILL_EXPIRED
PKI/4/LOCAL_EXPIRED
PKI/4/LOCAL_VALID
PKI/4/GET_CRL_ERR
PKI/5/GET_CRL_OK
PKI/4/OCSP_IMPORT_ERR
PKI/4/OCSP_IMPORT_OK
PKI/4/PEER_IMPORT_ERR
PKI/4/PEER_IMPORT_OK
PKI/4/RSA_CREATE
PKI/4/RSA_CREATE_FAILED
PKI/4/RSA_CREATE_OK
PKI/4/RSA_DESTROY
PKI/4/RSA_DESTROY_FAILED
PKI/4/RSA_DESTROY_SUCCEED
PKI/4/RSA_REPLACE
PKI/4/RSA_SAVE_FAILED
PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR
PKI/5/SCEP_UPDATE_LOCAL_CERT_OK
PKI/4/YANG_CERT_UPDATE_ERR
PKI/4/YANG_CERT_UPDATE_OK

PKI/4/GETTING_CA_CERT

Message

PKI/4/GETTING_CA_CERT: Realm [realm_name] is obtaining CA certificate through [protocol]...

Description

The realm was obtaining a CA certificate using SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

The realm was obtaining a CA certificate using SCEP.

Procedure

This log message is informational only, and no action is required.

PKI/4/CA_IMPORT_ERR

Message

PKI/4/CA_IMPORT_ERR: Importing CA certificate file ([file_name]) failed.

Description

Failed to import a CA certificate.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a CA certificate file.

Possible Causes

The certificate file does not exist.
The certificate file name is invalid.
The certificate format is incorrect.
The certificate storage path is incorrect.
The same certificate exists on the device.

Procedure

Run the display pki certificate filename file-name to check whether the certificate exists.
- If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
- If so, go to step 2.
Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
Run the pki import-certificate ca command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
Run the display pki certificate ca command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
Collect required information and contact technical support personnel.

PKI/4/CA_IMPORT_OK

Message

PKI/4/CA_IMPORT_OK: Importing CA certificate file ([file_name]) succeeded.

Description

Importing a CA certificate succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a CA certificate file.

Possible Causes

Manually importing a CA certificate succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/CA_WILL_EXPIRED

Message

PKI/4/CA_WILL_EXPIRED: CA certificate ([subject_name]) will expire in [day] days.

Description

A CA certificate was to expire.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a CA certificate.
day	Specifies the validity period of the CA certificate.

Possible Causes

The CA certificate in the memory was to expire.

Procedure

Apply for certificates online using SCEP or CMPv2.
- If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
  
  You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
  
  Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
Apply for certificates offline.
1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/CA_EXPIRED

Message

PKI/4/CA_EXPIRED: CA certificate ([subject_name]) has expired for [day] days.

Description

A CA certificate expired.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a CA certificate.
day	Specifies the number of days after a CA certificate expired.

Possible Causes

The certificate failed to be updated automatically.
The certificate was not updated manually.

Procedure

Apply for certificates online using SCEP or CMPv2.
- If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
  
  You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
  
  Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
Apply for certificates offline.
1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/CA_VALID

Message

PKI/4/CA_VALID: CA certificate ([subject_name]) will be valid in [day] days.

Description

A CA certificate was invalid.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a CA certificate.
day	Specifies the number of days before a CA certificate takes effect.

Possible Causes

The system time of the device does not reach the start time of the certificate validity period.

Procedure

Run the display clock command to check whether the system time of the device is correct.
- If not, run the clock datetime command in the user view to change the system time of the device.
- If so, go to step 2.
Collect required information and contact technical support personnel.

PKI/4/GETTING_CERT

Message

PKI/4/GETTING_CERT: Manually obtaining certificate [file_name] through [protocol]...

Description

A certificate was being manually obtained.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.
protocol	Specifies the protocol type as HTTP.

Possible Causes

A command was executed to obtain a certificate.

Procedure

This log message is informational only, and no action is required.

PKI/4/CLEAR_ALL_KEY

Message

PKI/4/CLEAR_ALL_KEY: PKI was notified to clear all [string] in the device (Reason=[reason]).

Description

PKI was notified to delete all key pairs or certificates in the device.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the key pair or certificate file name.
reason	Specifies the deletion reasons: reset factory configuration: A command is executed to restore factory settings at one click. batch back up: Key pairs or certificates on the standby device are deleted during batch backup.

Possible Causes

A command is executed to restore factory settings at one click.
Key pairs or certificates on the standby device are deleted during batch backup.

Procedure

This log is informational only, and no action is required.

PKI/4/CMP_UPDATE_LOCAL_CERT_ERR

Message

PKI/4/CMP_UPDATE_LOCAL_CERT_ERR: Updating the local certificate ([certificate-name]) through CMPv2 failed.

Description

The local certificate failed to be updated through CMPv2.

Parameters

Parameter Name	Parameter Meaning
certificate-name	Specifies the name of a local certificate file.

Possible Causes

The device failed to communicate with the CMPv2 server.

Procedure

Check whether the route between the device and CMPv2 server is reachable using the ping function.
- If the route between them is reachable, go to step 2.
- If the route between them is unreachable, rectify the route and link fault to ensure a reachable route.
Check whether the PKI configuration on the CMPv2 server is correct. The configuration includes the URL and CA name.
- If the configuration is incorrect, correct the configuration.
- If the configuration is correct, go to step 3.
Collect log and configuration information, and contact technical support personnel.

PKI/5/CMP_UPDATE_LOCAL_CERT_OK

Message

PKI/5/CMP_UPDATE_LOCAL_CERT_OK: Updating the local certificate ([certificate-name]) through CMPv2 succeeded.

Description

The local certificate was updated successfully through CMPv2.

Parameters

Parameter Name	Parameter Meaning
certificate-name	Indicates the name of a local certificate.

Possible Causes

After the CMPv2-based automatic certificate update function was enabled, the switch successfully updated the local certificate when the update time arrived.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_NO_CHECK_ALG

Message

PKI/5/CONFIRM_NO_CHECK_ALG: The user chose [string] when deciding whether to import unsafe certificate.

Description

The user decided whether to import an insecure CA or local certificate.

Parameters

Parameter Name	Parameter Meaning
string	Specifies whether the user chooses to import an insecure certificate: Y/N.

Possible Causes

When the user imported an insecure CA or local certificate, this message was displayed to ask the user whether to continue the operation.

Procedure

This log message is informational only, and no action is required.

PKI/5/CONFIRM_NO_CHECK_VALIDATE

Message

PKI/5/CONFIRM_NO_CHECK_VALIDATE: The user chose [string] when deciding whether to import expired certificate.

Description

The user decided whether to import an expired CA or local certificate.

Parameters

Parameter Name	Parameter Meaning
string	Specifies whether the user chooses to import an expired certificate: Y/N.

Possible Causes

When the user imported an expired CA or local certificate, this message was displayed to ask the user whether to continue the operation.

Procedure

This log message is informational only, and no action is required.

PKI/5/CONFIRM_COVER_OCSP_CERT

Message

PKI/5/CONFIRM_COVER_OCSP_CERT: The user chose [string] when deciding whether to cover the old OCSP certificate with the new one.

Description

The user decided whether to overwrite the old OCSP certificate.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: overwrites the old OCSP certificate. N: not overwrite the old OCSP certificate.

Possible Causes

When a user imports an OCSP certificate in a PKI domain, an OCSP certificate already exists in the domain.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_COVER_PEER_CERT

Message

PKI/5/CONFIRM_COVER_PEER_CERT: The user chose [string] when deciding whether to cover the old peer certificate with the new one.

Description

The user decided whether to overwrite the old peer certificate.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: overwrites the old peer certificate. N: not overwrite the old peer certificate.

Possible Causes

When a user imports a peer certificate, the same peer certificate already exists on the device.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_CREATE_CERT

Message

PKI/5/CONFIRM_CREATE_CERT: The user chose [string] when deciding whether to create the new certificate.

Description

The user decided whether to create a self-signed certificate.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: creates a self-signed certificate. N: not create a self-signed certificate.

Possible Causes

A user creates a self-signed certificate.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_DESTROY_RSA

Message

PKI/5/CONFIRM_DESTROY_RSA: The user chose [string] when deciding whether to destroy the RSA key pair.

Description

The user decided whether to destroy the RSA key pair.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: destroys the RSA key pair. N: not destroy the RSA key pair.

Possible Causes

The user destroys the RSA key pair.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_EXPORT_KEYPAIR

Message

PKI/5/CONFIRM_EXPORT_KEYPAIR: The user chose [string] when deciding whether to export key pair.

Description

The user decided whether to export the key pair.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: exports the key pair. N: not export the key pair.

Possible Causes

The user exports the key pair.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_FINGERPRINT

Message

PKI/5/CONFIRM_FINGERPRINT: The user chose [string] when deciding whether the fingerprint is correct.

Description

The user confirmed whether the CA certificate fingerprint was correct.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: indicates that the fingerprint is correct. N: indicates that the fingerprint is incorrect.

Possible Causes

The user imports a CA certificate in the PKI domain.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_OVERWRITE_FILE

Message

PKI/5/CONFIRM_OVERWRITE_FILE: The user chose [string] when deciding whether to overwrite the exist file.

Description

The user confirmed whether to overwrite an existing certificate file.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: overwrites an existing certificate file. N: not overwrite an existing certificate file.

Possible Causes

When exporting a certificate file, the user uses an existing certificate file name.

Procedure

This log is informational only, and no action is required.

PKI/5/CONFIRM_OVERWRITE_RSA

Message

PKI/5/CONFIRM_OVERWRITE_RSA: The user chose [string] when deciding whether to overwrite the old RSA key pair.

Description

The user decided whether to overwrite the old RSA key pair.

Parameters

Parameter Name	Parameter Meaning
string	Indicates the operation chosen by the user: Y: overwrites the old RSA key pair. N: not overwrite the old RSA key pair.

Possible Causes

When creating an RSA key pair, the user uses an existing RSA key pair name.

Procedure

This log is informational only, and no action is required.

PKI/4/CRL_IMPORT_ERR

Message

PKI/4/CRL_IMPORT_ERR: Importing CRL file ([file_name]) failed.

Description

Failed to import a CRL.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.

Possible Causes

The CRL file does not exist.
The CRL file name is invalid.
The CRL file format is incorrect.
The CRL file storage path is incorrect.

Procedure

Run the display pki crl filename file-name to check whether the CRL file exists.
- If not, use methods such as SFTP to upload the CRL file to the storage medium of the device.
- If so, go to step 2.
Check whether the CRL file name meets requirements.
- If not, change the CRL file name in accordance with requirements.
- If so, go to step 3.
Check whether the CRL file format is correct.
- If not, use the CRL file format supported by the device, for example, DER and PEM.
- If so, go to step 4.
Run the dir and display pki credential-storage-path commands in the user view to check whether the CRL file storage path is the same as the default storage path of the CRL file.
- If not, save the CRL file to the default storage path.
- If so, go to step 5.
Collect required information and contact technical support personnel.

PKI/4/CRL_IMPORT_OK

Message

PKI/4/CRL_IMPORT_OK: Importing CRL file ([file_name]) succeeded.

Description

Importing a CRL succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.

Possible Causes

Importing a CRL succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/CRL_WILL_EXPIRED

Message

PKI/4/CRL_WILL_EXPIRED: CRL ([issuer_name]) will expire in [day] days.

Description

A CRL was to expire.

Parameters

Parameter Name	Parameter Meaning
issuer_name	Specifies the name of the CRL issuer.
day	Specifies the validity period of the CRL.

Possible Causes

The CRL in the memory was to expire.

Procedure

Automatic CRL update
1. Check the link between the device and CRL distribution server.
  If the link is not working properly, ensure that it is working properly.
2. Check whether automatic CRL update is enabled.
  If automatic CRL update is disabled, run the crl auto-update enable command in the PKI realm view to enable it.
3. Check whether the CRL-related PKI configuration is correct, including the URL of the CRL distribution point (CDP) and CRL update mode.
  If the configuration is incorrect, modify the configuration to ensure that it is correct.
Manual CRL update
1. Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
2. Run the pki import-crl command in the system view to import the CRL to the device memory.

PKI/4/CRL_EXPIRED

Message

PKI/4/CRL_EXPIRED: CRL ([issuer_name]) has expired for [day] days.

Description

A CRL expired.

Parameters

Parameter Name	Parameter Meaning
issuer_name	Specifies the name of the CRL issuer.
day	Specifies the number of days after the CRL expired.

Possible Causes

The device failed to automatically update the CRL.
The CRL was not updated manually.

Procedure

Automatic CRL update
1. Check the link between the device and CRL distribution server.
  If the link is not working properly, ensure that it is working properly.
2. Check whether automatic CRL update is enabled.
  If automatic CRL update is disabled, run the crl auto-update enable command in the PKI realm view to enable it.
3. Check whether the CRL-related PKI configuration is correct, including the URL of the CRL distribution point (CDP) and CRL update mode.
  If the configuration is incorrect, modify the configuration to ensure that it is correct.
Manual CRL update
1. Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
2. Run the pki import-crl command in the system view to import the CRL to the device memory.

PKI/4/CRL_VALID

Message

PKI/4/CRL_VALID: CRL ([issuer_name]) will be valid in [day] days.

Description

A CRL was invalid.

Parameters

Parameter Name	Parameter Meaning
issuer_name	Specifies the name of the CRL issuer.
day	Specifies the number of days before the CRL takes effect.

Possible Causes

The system time of the device does not reach the start time of the CRL validity period.

Procedure

Run the display clock command to check whether the system time of the device is correct.
- If not, run the clock datetime command in the user view to change the system time of the device.
- If so, go to step 2.
Collect required information and contact technical support personnel.

PKI/4/DEL_CA_ERR

Message

PKI/4/DEL_CA_ERR: Deleting CA certificate file ([file_name]) failed.

Description

Deleting a CA certificate failed.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.

Possible Causes

The CA certificate does not exist.
The CA certificate is being used by services.

Procedure

Run the display pki certificate ca to check whether the CA certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/DEL_CA_OK

Message

PKI/4/DEL_CA_OK: Deleting CA certificate file ([file_name]) succeeded.

Description

Deleting a CA certificate succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.

Possible Causes

Deleting a CA certificate from the memory succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/DEL_CRL_OK

Message

PKI/4/DEL_CRL_OK: Deleting CRL file ([file_name]) succeeded.

Description

Succeeded in deleting a CRL.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.

Possible Causes

Deleting a CRL from the memory succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/DEL_CRL_ERR

Message

PKI/4/DEL_CRL_ERR: Deleting CRL file ([file_name]) failed.

Description

Failed to delete a CRL.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.

Possible Causes

The CRL does not exist.

Procedure

Run the display pki crl to check whether the CRL exists.
- If not, confirm whether to delete another CRL.
- If so, go to step 2.
Collect required information and contact technical support personnel.

PKI/4/DEL_LOCAL_ERR

Message

PKI/4/DEL_LOCAL_ERR: Deleting local certificate file ([file_name]) failed.

Description

Deleting a local certificate failed.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.

Possible Causes

The local certificate does not exist.
The local certificate is being used by services.

Procedure

Run the display pki certificate local to check whether the local certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/DEL_LOCAL_OK

Message

PKI/4/DEL_LOCAL_OK: Deleting local certificate file ([file_name]) succeeded.

Description

Deleting a local certificate succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.

Possible Causes

Deleting a local certificate from the memory succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/DEL_OCSP_ERR

Message

PKI/4/DEL_OCSP_ERR: Deleting OCSP certificate file ([string]) failed.

Description

An OCSP certificate failed to be deleted.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of an OCSP certificate file.

Possible Causes

The OCSP certificate does not exist.
The OCSP certificate is being used by services.

Procedure

Run the display pki certificate ocsp to check whether the OCSP certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/DEL_OCSP_OK

Message

PKI/4/DEL_OCSP_OK: Deleting OCSP certificate file ([string]) succeeded.

Description

An OCSP certificate succeeded to be deleted.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of an OCSP certificate file.

Possible Causes

An OCSP certificate succeeded to be deleted.

Procedure

This log message is informational only, and no action is required.

PKI/4/DEL_PEER_ERR

Message

PKI/4/DEL_PEER_ERR: Deleting PEER certificate file ([string]) failed.

Description

A peer certificate failed to be deleted.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a peer certificate file.

Possible Causes

The peer certificate does not exist.
The peer certificate is being used by services.

Procedure

Run the display pki peer-certificate to check whether the peer certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/DEL_PEER_OK

Message

PKI/4/DEL_PEER_OK: Deleting PEER certificate file ([string]) succeeded.

Description

A peer certificate succeeded to be deleted.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a peer certificate file.

Possible Causes

A peer certificate succeeded to be deleted.

Procedure

This log message is informational only, and no action is required.

PKI/4/CA_EXPORT_ERR

Message

PKI/4/CA_EXPORT_ERR: Exporting CA certificate file ([string]) failed.

Description

Failed to export a CA certificate file.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a CA certificate file.

Possible Causes

The CA certificate does not exist.
The storage space is full.

Procedure

Run the display pki certificate ca to check whether the CA certificate exists.
- If not, obtain a CA certificate from the CA.
- If so, go to step 2.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, delete unnecessary files to clear the storage space.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/CA_EXPORT_OK

Message

PKI/4/CA_EXPORT_OK: Exporting CA certificate file ([string]) succeeded.

Description

A CA certificate file was exported successfully.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a CA certificate file.

Possible Causes

A CA certificate is exported successfully.

Procedure

This log is informational only, and no action is required.

PKI/4/LOCAL_EXPORT_ERR

Message

PKI/4/LOCAL_EXPORT_ERR: Exporting local certificate file ([string]) failed.

Description

Failed to export a local certificate file.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a local certificate file.

Possible Causes

The local certificate does not exist.
The storage space is full.
No private key file name is entered when the local certificate is being exported.
The entered private key password does not meet requirements when the local certificate is being exported.

Procedure

Run the display pki certificate local to check whether the local certificate exists.
- If not, obtain or apply for a CA certificate from the CA.
- If so, go to step 2.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, delete unnecessary files to clear the storage space.
- If not, go to step 3.
Check whether the private key file name and password need to be entered when exporting the local certificate.
- If so, enter the private key file name and password as required.
- If not, go to step 4.
Collect required information and contact technical support personnel.

PKI/4/LOCAL_EXPORT_OK

Message

PKI/4/LOCAL_EXPORT_OK: Exporting local certificate file ([string]) succeeded.

Description

A local certificate file was exported successfully.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a local certificate file.

Possible Causes

A local certificate file is exported successfully.

Procedure

This log is informational only, and no action is required.

PKI/4/GET_CA_CERT_ERR

Message

PKI/4/GET_CA_CERT_ERR: Realm [realm_name] failed to get CA certificate through [protocol].

Description

Failed to obtain the CA certificate through SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

The link between the device and CA server is Down.
The CA server is not working properly.
The PKI configuration is incorrect.

Procedure

Run the ping command to check whether the link between the device and CA server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Check whether the CA server is working properly.
- If not, ensure that the CA server has the certificate service enabled and is working properly.
- If so, go to step 3.
Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
Collect required information and contact technical support personnel.

PKI/5/GET_CA_CERT_OK

Message

PKI/5/GET_CA_CERT_OK: Realm [realm_name] succeeded in getting CA certificate through [protocol].

Description

Succeeded in obtaining the CA certificate through SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

Succeeded in obtaining the CA certificate through SCEP.

Procedure

This log message is informational only, and no action is required.

PKI/4/GET_CA_CHAIN_ERR

Message

PKI/4/GET_CA_CHAIN_ERR: Realm [realm-name] failed to obtain the CA certificate chain through [protocol].

Description

Failed to obtain the CA certificate chain through the realm.

Parameters

Parameter Name	Parameter Meaning
realm-name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

The link between the device and CA server is Down.
The PKI configuration is incorrect.
The storage space is insufficient.
The CA server is not working properly.
The CA server does not support the function of obtaining the CA certificate chain.
The CA certificate chain file does not exist in the CA server.

Procedure

Run the ping command to check whether the link between the device and certificate server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not go to step 3.
Run the display pki realm command in any view to check whether the PKI configurations are correct, including the CA associated with the PKI realm, CA certificate subject name, URL, and digital fingerprint algorithm of the CA certificate.
- If not, modify the configurations to ensure that they are correct.
- If so, go to step 4.
Check whether the certificate function of the CA server is valid.
- If not, ensure that the certificate function of the CA server is valid and the CA server supports the function of obtaining the CA certificate chain. If the CA does not support the function of obtaining the CA certificate chain, manually download the CA certificate chain to the device.
- If so, go to step 5.
Check whether the CA certificate chain file exists in the CA server.
- If not, ensure that the CA certificate chain file exists in the CA server.
- If so, go to step 6.
Collect required information and contact technical support personnel.

PKI/4/GET_CERT_ERR

Message

PKI/4/GET_CERT_ERR: Manually obtaining certificate [file_name] through [protocol] failed.

Description

Obtaining a certificate manually failed.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.
protocol	Specifies the protocol type: SCEP.

Possible Causes

The link between the device and certificate server is Down.
The certificate server is not working properly.
The SCEP configuration is incorrect.

Procedure

Run the ping command to check whether the link between the device and certificate server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Check whether the certificate server is working properly.
- If not, ensure that the certificate server has the certificate service enabled and is working properly.
- If so, go to step 3.
Check whether the SCEP configuration is correct, for example, the URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
Collect required information and contact technical support personnel.

PKI/5/GET_CERT_OK

Message

PKI/5/GET_CERT_OK: Manually obtaining certificate [file_name] through [protocol] succeeded.

Description

Obtaining a certificate succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.
protocol	Specifies the protocol type as HTTP.

Possible Causes

Obtaining a certificate succeeded by running command pki http.

Procedure

This log message is informational only, and no action is required.

PKI/4/GETTING_CRL

Message

PKI/4/GETTING_CRL: Realm [realm_name] is getting CRL through [protocol]...

Description

The realm was getting CRL automatically.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as HTTP, or SCEP.

Possible Causes

The realm was getting CRL automatically.

Procedure

This log message is informational only, and no action is required.

PKI/4/GET_CRL_ERR

Message

PKI/4/GET_CRL_ERR: Realm [realm_name] failed to obtain CRL through [protocol].

Description

Failed to obtain the CRL certificate.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type: SCEP.

Possible Causes

The link between the device and CRL server is Down.
The CRL server is not working properly.
The PKI configuration is incorrect.

Procedure

Run the ping command to check whether the link between the device and CRL server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Check whether the CRL server is working properly.
- If not, ensure that the CRL server has the CRL service enabled and is working properly.
- If so, go to step 3.
Check whether the PKI configuration is correct, including the URL of the CDP and CRL update mode.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
Collect required information and contact technical support personnel.

PKI/5/GET_CRL_OK

Message

PKI/5/GET_CRL_OK: Realm [realm_name] succeeded in obtaining CRL through [protocol].

Description

Succeeded in obtaining the CRL certificate.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type: HTTP or SCEP.

Possible Causes

Succeeded in obtaining the CRL certificate through HTTP or SCEP.

Procedure

This log message is informational only, and no action is required.

PKI/5/GET_LOCAL_CERT_OK

Message

PKI/5/GET_LOCAL_CERT_OK: Realm [realm_name] succeeded in getting local certificate through [protocol].

Description

Succeeded in obtaining the local certificate through SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

Succeeded in obtaining the local certificate through SCEP.

Procedure

This log message is informational only, and no action is required.

PKI/4/GET_LOCAL_CERT_ERR

Message

PKI/4/GET_LOCAL_CERT_ERR: Realm [realm_name] failed to get local certificate through [protocol].

Description

Failed to obtain the local certificate through SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

The link between the device and CA server is Down.
The CA server is not working properly.
No CA and RA certificates are installed on the device.
The PKI configuration is incorrect.

Procedure

Run the ping command to check whether the link between the device and CA server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Check whether the CA server is working properly.
- If not, ensure that the CA server has the certificate service enabled and is working properly.
- If so, go to step 3.
Check whether the CA and RA certificates have been installed.
- If not, install the CA and RA certificates and ensure that the certificates are within the validity period.
- If so, and the CA and RA certificates are not within the validity period, update the CA and RA certificates.
- If so, and the CA and RA certificates are within the validity period, go to step 4.
Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 5.
Collect required information and contact technical support personnel.

PKI/4/HTTP_AUTO_GET_CRL_ERR

Message

PKI/4/HTTP_AUTO_GET_CRL_ERR: Realm [realm_name] failed to obtain CRL through HTTP (Reason=[reason]).

Description

Failed to obtain the CRL using HTTP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
reason	Indicates the failure cause.

Possible Causes

URL resolution failed: URL parsing failed.
Failed to connect to the server: Connecting to the server failed.
The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
Failed to receive the response message: Failed to process the response received from the server.
Failed to save the response message: Failed to save the response received from the server.

The file has been imported or referenced for several times: The CRL file has been imported or referenced for several times.

Procedure

Cause 1: URL resolution failed.
When downloading the CRL using the pki get-crl command, run the display pki realm command to check whether the URL meets requirements.
- If not, run the cdp-url command in the PKI realm view to change the URL.
- If so, collect required information and contact technical support personnel.
Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the CRL service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
Cause 4: Failed to receive the response message.
Check whether the CRL file of the server exists.
- If not, add the CRL file to ensure that the server can provide the CRL download function.
- If so, collect required information and contact technical support personnel.
Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.
Cause 6: The file has been imported or referenced for several times.
If the CRL file is being used by multiple PKI realms, the CRL file cannot be updated. To ensure that the CRL file can be updated automatically, ensure that the file is being used by only one PKI realm.

PKI/4/HTTP_GET_CERT_ERR

Message

PKI/4/HTTP_GET_CERT_ERR: Manually obtaining certificate [file_name] through HTTP failed (Reason=[reason]).

Description

Failed to obtain the certificate using HTTP.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a certificate file.
reason	Indicates the failure cause.

Possible Causes

URL resolution failed: URL parsing failed.
Failed to connect to the server: Connecting to the server failed.
The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
Failed to receive the response message: Failed to process the response received from the server.
Failed to save the response message: Failed to save the response received from the server.

Procedure

Cause 1: URL resolution failed.
Check whether the URL specified using the pki http command meets requirements.
- If not, enter a correct URL when running the pki http command in the system view.
- If so, collect required information and contact technical support personnel.
Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the certificate service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
Cause 4: Failed to receive the response message.
Check whether the certificate file of the server exists.
- If not, add the certificate file to ensure that the server can provide the certificate download function.
- If so, collect required information and contact technical support personnel.
Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.

PKI/4/HTTP_GET_CRL_ERR

Message

PKI/4/HTTP_GET_CRL_ERR: Manually obtaining CRL [file_name] through HTTP failed (Reason=[reason]).

Description

Failed to obtain the CRL using HTTP.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.
reason	Indicates the failure cause.

Possible Causes

URL resolution failed: URL parsing failed.
Failed to connect to the server: Connecting to the server failed.
The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
Failed to receive the response message: Failed to process the response received from the server.
Failed to save the response message: Failed to save the response received from the server.

Procedure

Cause 1: URL resolution failed.
- When downloading the CRL using the pki get-crl command, run the display pki realm command to check whether the URL meets requirements.
  - If not, run the cdp-url command in the PKI realm view to change the URL.
  - If so, collect required information and contact technical support personnel.
- When downloading the CRL using the pki http command, check whether the URL meets requirements.
  - If not, enter a correct URL when running the pki http command in the system view.
  - If so, collect required information and contact technical support personnel.
Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the CRL service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
Cause 4: Failed to receive the response message.
Check whether the CRL file of the server exists.
- If not, add the CRL file to ensure that the server can provide the CRL download function.
- If so, collect required information and contact technical support personnel.
Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.

PKI/4/KEY_IMPORT_FAILED

Message

PKI/4/KEY_IMPORT_FAILED: Importing [key_type] key pair [key_name] failed (Reason=[reason]).

Description

The key pair failed to be imported.

Parameters

Parameter Name	Parameter Meaning
key_type	Specifies the key pair type.
key_name	Specifies the name of a key pair.
reason	Specifies the reason of the key pair import failure.

Possible Causes

saving key pairs failed: The key pair fails to be saved.

Procedure

Check whether the storage media is available. If not, use an available storage media.
Check whether the storage space is full. If so, delete unnecessary files.

PKI/4/KEY_IMPORT_OK

Message

PKI/4/KEY_IMPORT_OK: Importing [key_type] key pair [key_name] succeeded.

Description

The key pair was successfully imported.

Parameters

Parameter Name	Parameter Meaning
key_type	Key pair type.
key_name	Specifies the name of a key pair.

Possible Causes

The key pair was successfully imported.

Procedure

This log message is informational only, and no action is required.

PKI/4/GETTING_LOCAL_CERT

Message

PKI/4/GETTING_LOCAL_CERT: Realm [realm_name] is getting local certificate through [protocol]...

Description

The realm was obtaining a local certificate using SCEP.

Parameters

Parameter Name	Parameter Meaning
realm_name	Specifies the name of a PKI realm.
protocol	Specifies the protocol type as SCEP.

Possible Causes

The realm was obtaining a local certificate using SCEP.

Procedure

This log message is informational only, and no action is required.

PKI/4/LOCAL_IMPORT_ERR

Message

PKI/4/LOCAL_IMPORT_ERR: Importing local certificate file ([file_name]) failed.

Description

Importing a local certificate failed.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a local certificate file.

Possible Causes

The certificate file does not exist.
The certificate file name is invalid.
The certificate format is incorrect.
The certificate storage path is incorrect.
The same certificate exists on the device.

Procedure

Run the display pki certificate filename file-name to check whether the certificate exists.
- If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
- If so, go to step 2.
Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
Run the pki import-certificate local command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
Run the display pki certificate local command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
Collect required information and contact technical support personnel.

PKI/4/LOCAL_IMPORT_OK

Message

PKI/4/LOCAL_IMPORT_OK: Importing local certificate file ([file_name]) succeeded.

Description

Importing a local certificate succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the name of a local certificate file.

Possible Causes

Importing a local certificate succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/LOCAL_WILL_EXPIRED

Message

PKI/4/LOCAL_WILL_EXPIRED: LOCAL certificate ([subject_name]) will expire in [day] days.

Description

A local certificate was to expire.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a local certificate.
day	Specifies the validity period of the local certificate.

Possible Causes

The local certificate in the memory was to expire.

Procedure

Apply for certificates online using SCEP or CMPv2.
- If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
  
  You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
  
  Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
Apply for certificates offline.
1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/LOCAL_EXPIRED

Message

PKI/4/LOCAL_EXPIRED: LOCAL certificate ([subject_name]) has expired for [day] days.

Description

A local certificate expired.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a local certificate.
day	Specifies the number of days after a local certificate expired.

Possible Causes

The certificate failed to be updated automatically.
The certificate was not updated manually.

Procedure

Apply for certificates online using SCEP or CMPv2.
- If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
  
  You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
  
  Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
Apply for certificates offline.
1. Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
2. Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
3. Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.

PKI/4/LOCAL_VALID

Message

PKI/4/LOCAL_VALID: LOCAL certificate ([subject_name]) will be valid in [day] days.

Description

A local certificate was invalid.

Parameters

Parameter Name	Parameter Meaning
subject_name	Specifies the subject of a local certificate.
day	Specifies the number of days before a local certificate takes effect.

Possible Causes

The system time of the device does not reach the start time of the certificate validity period.

Procedure

Run the display clock command to check whether the system time of the device is correct.
- If not, run the clock datetime command in the user view to change the system time of the device.
- If so, go to step 2.
Collect required information and contact technical support personnel.

PKI/4/GET_CRL_ERR

Message

PKI/4/GET_CRL_ERR: Manually obtaining CRL [file_name] through [protocol] failed.

Description

Obtaining a CRL manually failed.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.
protocol	Specifies the protocol type: SCEP.

Possible Causes

The link between the device and CRL server is Down.
The CRL server is not working properly.
The SCE configuration is incorrect.

Procedure

Run the ping command to check whether the link between the device and CRL server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
Check whether the CRL server is working properly.
- If not, ensure that the CRL server has the CRL service enabled and is working properly.
- If so, go to step 3.
Check whether the SCEP configuration is correct, for example, the URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
Collect required information and contact technical support personnel.

PKI/5/GET_CRL_OK

Message

PKI/5/GET_CRL_OK: Manually obtaining CRL [file_name] through [protocol] succeeded.

Description

Manually obtaining a CRL succeeded.

Parameters

Parameter Name	Parameter Meaning
file_name	Specifies the CRL file name.
protocol	Specifies the protocol type as HTTP.

Possible Causes

A CRL was successfully obtained through the CLI.

Procedure

This log message is informational only, and no action is required.

PKI/4/OCSP_IMPORT_ERR

Message

PKI/4/OCSP_IMPORT_ERR: Importing OCSP certificate file ([string]) failed.

Description

An OCSP certificate failed to be imported.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of an OCSP certificate file.

Possible Causes

The certificate file does not exist.
The certificate file name is invalid.
The certificate format is incorrect.
The certificate storage path is incorrect.
The same certificate exists on the device.

Procedure

Run the display pki certificate filename file-name to check whether the certificate exists.
- If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
- If so, go to step 2.
Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
Run the pki import-certificate ocsp command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
Run the display pki certificate ocsp command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
Collect required information and contact technical support personnel.

PKI/4/OCSP_IMPORT_OK

Message

PKI/4/OCSP_IMPORT_OK: Importing OCSP certificate file ([string]) succeeded.

Description

An OCSP certificate succeeded to be imported.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of an OCSP certificate file.

Possible Causes

An OCSP certificate succeeded to be imported.

Procedure

This log message is informational only, and no action is required.

PKI/4/PEER_IMPORT_ERR

Message

PKI/4/PEER_IMPORT_ERR: Importing PEER certificate file ([string]) failed.

Description

Failed to import a peer certificate.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a peer certificate file.

Possible Causes

The certificate file does not exist.
The certificate file name is invalid.
The certificate format is incorrect.
The certificate storage path is incorrect.
The same certificate exists on the device.

Procedure

Run the display pki certificate filename file-name to check whether the certificate exists.
- If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
- If so, go to step 2.
Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
Run the pki import-certificate peer command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
Run the display pki peer-certificate command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki release-certificate peer command in the system view to delete this certificate.
- If not, go to step 6.
Collect required information and contact technical support personnel.

PKI/4/PEER_IMPORT_OK

Message

PKI/4/PEER_IMPORT_OK: Importing PEER certificate file ([string]) succeeded.

Description

Succeeded in importing a peer certificate.

Parameters

Parameter Name	Parameter Meaning
string	Specifies the name of a peer certificate file.

Possible Causes

The peer certificate succeeded to be imported.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_CREATE

Message

PKI/4/RSA_CREATE: RSA local key pair [key_name] will be created. The key has [key_bit] bits.

Description

An RSA key pair was created.

Parameters

Parameter Name	Parameter Meaning
key_name	Specifies the name of an RSA key pair.
key_bit	Specifies the number of bits in the RSA key pair.

Possible Causes

Command pki rsa local-key-pair create was executed to create an RSA key pair.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_CREATE_FAILED

Message

PKI/4/RSA_CREATE_FAILED: Creating [key_type] local key pair [key_name] failed.

Description

Creating a key pair failed.

Parameters

Parameter Name	Parameter Meaning
key_type	Key pair type.
key_name	Specifies the name of a key pair.

Possible Causes

The number of existing key pairs has reached the limit.

Procedure

Delete unnecessary key pairs.
If the fault persists, collect related information and contact technical support personnel.

PKI/4/RSA_CREATE_OK

Message

PKI/4/RSA_CREATE_OK: Creating [key_type] local key pair [key_name] succeeded.

Description

Creating a key pair succeeded.

Parameters

Parameter Name	Parameter Meaning
key_type	Key pair type.
key_name	Specifies the name of a key pair.

Possible Causes

Creating a key pair succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_DESTROY

Message

PKI/4/RSA_DESTROY: RSA local key pair [key_name] will be deleted.

Description

An RSA key pair was to be deleted.

Parameters

Parameter Name	Parameter Meaning
key_name	Specifies the name of an RSA key pair.

Possible Causes

A command was executed to delete an RSA key pair.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_DESTROY_FAILED

Message

PKI/4/RSA_DESTROY_FAILED: Deleting [key_type] local key pair [key_name] failed.

Description

Deleting a key pair failed.

Parameters

Parameter Name	Parameter Meaning
key_type	Key pair type.
key_name	Specifies the name of a key pair.

Possible Causes

The key pair does not exist.
The key pair is being used by services.

Procedure

Check whether the key pair exists on the device. For example, run the display pki rsa local-key-pair public command to view RSA key pair information.
- If not, confirm whether to delete another RSA key pair.
- If so, go to step 2.
Check whether the key pair is being used by services. For example, check whether it is being referenced by the PKI realm.
- If so, ensure that the key pair is not used by any services.
- If not, go to step 3.
Collect required information and contact technical support personnel.

PKI/4/RSA_DESTROY_SUCCEED

Message

PKI/4/RSA_DESTROY_SUCCEED: Deleting [key_type] local key pair [key_name] succeeded.

Description

Deleting a key pair succeeded.

Parameters

Parameter Name	Parameter Meaning
key_type	Key pair type.
key_name	Specifies the name of a key pair.

Possible Causes

Deleting a key pair succeeded.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_REPLACE

Message

PKI/4/RSA_REPLACE: RSA local key pair [key_name] will be replaced by a new one.

Description

An RSA key pair was to be replaced.

Parameters

Parameter Name	Parameter Meaning
key_name	Specifies the name of an RSA key pair.

Possible Causes

After a user ran a command to create an RSA key pair, a message indicating that the name of the key pair had already existed was displayed. The user chose to overwrite the original key pair.

Procedure

This log message is informational only, and no action is required.

PKI/4/RSA_SAVE_FAILED

Message

PKI/4/RSA_SAVE_FAILED: Saving RSA local key pair [key_name] failed.

Description

Saving an RSA key pair failed.

Parameters

Parameter Name	Parameter Meaning
key_name	Specifies the name of an RSA key pair.

Possible Causes

Saving an RSA key pair failed.

Procedure

Collect required information and contact technical support personnel.

PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR

Message

PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR: Updating the local certificate ([certificate-name]) through SCEP failed.

Description

The local certificate failed to be updated through SCEP.

Parameters

Parameter Name	Parameter Meaning
certificate-name	Indicates the name of a local certificate.

Possible Causes

The device failed to communicate with the CA server.

Procedure

Check whether the route between the device and CA server is reachable using the ping function.
- If the route between them is reachable, go to step 2.
- If the route between them is unreachable, rectify the route and link fault to ensure a reachable route.
Check whether the PKI configuration on the CA server is correct. The configuration includes the URL, CA name, digest method used for the signed certificate enrollment requests, challenge password used in SCEP certificate application, and digital fingerprint of the CA certificate.
- If the configuration is incorrect, correct the configuration.
- If the configuration is correct, go to step 3.
Collect log and configuration information, and contact technical support personnel.

PKI/5/SCEP_UPDATE_LOCAL_CERT_OK

Message

PKI/5/SCEP_UPDATE_LOCAL_CERT_OK: Updating the local certificate ([certificate-name]) through SCEP succeeded.

Description

The local certificate was updated successfully through SCEP.

Parameters

Parameter Name	Parameter Meaning
certificate-name	Indicates the name of a local certificate.

Possible Causes

After the SCEP-based automatic certificate update function was enabled, the switch successfully updated the local certificate when the update time arrived.

Procedure

This log is informational only, and no action is required.

PKI/4/YANG_CERT_UPDATE_ERR

Message

PKI/4/YANG_CERT_UPDATE_ERR: Updating the [certificate-type] certificate (realm=[realm-name]) through controller failed (ReasonCode=[reason-code], Reason=[reason]).

Description

The certificate failed to be updated through the controller.

Parameters

Parameter Name	Parameter Meaning
certificate-type	Specifies the certificate type.
realm-name	Specifies the name of a PKI realm.
reason-code	Specifies the reason code of the certificate update failure: 3: Invalid realm 4: Shadow certificate does not exist 5: Refreshing certificate failed 6: Replacing key failed 7: Certificate file does not exist 8: Parsing file content failed 9: Unsupported file format 11: Saving shadow certificate failed 12: Getting key of certificate Failed 13: Saving shadow key failed 14: Saving certificate file failed 15: Importing certificate file failed 16: Importing key failed 18: Replacing certificate does not exist 19: Invalid certificate path 20: Unsupported operation
reason	Specifies the reason of the certificate update failure: Invalid realm Shadow certificate does not exist Refreshing certificate failed Replacing key failed Certificate file does not exist Parsing file content failed Unsupported file format Saving shadow certificate failed Getting key of certificate Failed Saving shadow key failed Saving certificate file failed Importing certificate file failed Importing key failed Replacing certificate does not exist Invalid certificate path Unsupported operation

Possible Causes

For details, see reasons of failed to update a certificate.

Procedure

Invalid realm
Check whether the realm name is created or valid. For details about the PKI realm name specifications, see the pki realm command.
Shadow certificate does not exist
Check whether the shadow certificate exists. If not, import it first.
Refreshing certificate failed, Replacing key failed, Saving shadow certificate failed, Saving shadow key failed, Saving certificate file failed, or Importing key failed
Check whether the storage space on the device is full. If so, delete unnecessary files. If not, enable debugging of the PKI module in the user view and check debugging information to locate the fault, or contact technical support personnel.
Certificate file does not exist or Replacing certificate does not exist
Check whether the certificate file or certificate has been imported to the storage media of the device.
Parsing file content failed
Check whether file format is correct.
Unsupported file format
The device does not support this file format. Import a certificate file in the PEM format.
Getting key of certificate Failed
Check whether the key pair corresponding to the certificate has been imported.
Importing certificate file failed
Check whether the number of certificates reaches the maximum. If so, delete unused certificates.
Other reasons.
Contact technical support personnel.

PKI/4/YANG_CERT_UPDATE_OK

Message

PKI/4/YANG_CERT_UPDATE_OK: Updating the [certificate-type] certificate (realm=[realm-name]) through controller succeeded.

Description

The certificate was successfully updated through the controller.

Parameters

Parameter Name	Parameter Meaning
certificate-type	Specifies the certificate type.
realm-name	Specifies the name of a PKI realm.

Possible Causes

The certificate was successfully updated through the controller.

Procedure

This log message is informational only, and no action is required.

PKI/4/GETTING_CA_CERT
PKI/4/CA_IMPORT_ERR
PKI/4/CA_IMPORT_OK
PKI/4/CA_WILL_EXPIRED
PKI/4/CA_EXPIRED
PKI/4/CA_VALID
PKI/4/GETTING_CERT
PKI/4/CLEAR_ALL_KEY
PKI/4/CMP_UPDATE_LOCAL_CERT_ERR
PKI/5/CMP_UPDATE_LOCAL_CERT_OK
PKI/5/CONFIRM_NO_CHECK_ALG
PKI/5/CONFIRM_NO_CHECK_VALIDATE
PKI/5/CONFIRM_COVER_OCSP_CERT
PKI/5/CONFIRM_COVER_PEER_CERT
PKI/5/CONFIRM_CREATE_CERT
PKI/5/CONFIRM_DESTROY_RSA
PKI/5/CONFIRM_EXPORT_KEYPAIR
PKI/5/CONFIRM_FINGERPRINT
PKI/5/CONFIRM_OVERWRITE_FILE
PKI/5/CONFIRM_OVERWRITE_RSA
PKI/4/CRL_IMPORT_ERR
PKI/4/CRL_IMPORT_OK
PKI/4/CRL_WILL_EXPIRED
PKI/4/CRL_EXPIRED
PKI/4/CRL_VALID
PKI/4/DEL_CA_ERR
PKI/4/DEL_CA_OK
PKI/4/DEL_CRL_OK
PKI/4/DEL_CRL_ERR
PKI/4/DEL_LOCAL_ERR
PKI/4/DEL_LOCAL_OK
PKI/4/DEL_OCSP_ERR
PKI/4/DEL_OCSP_OK
PKI/4/DEL_PEER_ERR
PKI/4/DEL_PEER_OK
PKI/4/CA_EXPORT_ERR
PKI/4/CA_EXPORT_OK
PKI/4/LOCAL_EXPORT_ERR
PKI/4/LOCAL_EXPORT_OK
PKI/4/GET_CA_CERT_ERR
PKI/5/GET_CA_CERT_OK
PKI/4/GET_CA_CHAIN_ERR
PKI/4/GET_CERT_ERR
PKI/5/GET_CERT_OK
PKI/4/GETTING_CRL
PKI/4/GET_CRL_ERR
PKI/5/GET_CRL_OK
PKI/5/GET_LOCAL_CERT_OK
PKI/4/GET_LOCAL_CERT_ERR
PKI/4/HTTP_AUTO_GET_CRL_ERR
PKI/4/HTTP_GET_CERT_ERR
PKI/4/HTTP_GET_CRL_ERR
PKI/4/KEY_IMPORT_FAILED
PKI/4/KEY_IMPORT_OK
PKI/4/GETTING_LOCAL_CERT
PKI/4/LOCAL_IMPORT_ERR
PKI/4/LOCAL_IMPORT_OK
PKI/4/LOCAL_WILL_EXPIRED
PKI/4/LOCAL_EXPIRED
PKI/4/LOCAL_VALID
PKI/4/GET_CRL_ERR
PKI/5/GET_CRL_OK
PKI/4/OCSP_IMPORT_ERR
PKI/4/OCSP_IMPORT_OK
PKI/4/PEER_IMPORT_ERR
PKI/4/PEER_IMPORT_OK
PKI/4/RSA_CREATE
PKI/4/RSA_CREATE_FAILED
PKI/4/RSA_CREATE_OK
PKI/4/RSA_DESTROY
PKI/4/RSA_DESTROY_FAILED
PKI/4/RSA_DESTROY_SUCCEED
PKI/4/RSA_REPLACE
PKI/4/RSA_SAVE_FAILED
PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR
PKI/5/SCEP_UPDATE_LOCAL_CERT_OK
PKI/4/YANG_CERT_UPDATE_ERR
PKI/4/YANG_CERT_UPDATE_OK

Translation

简体中文

Download

Updated: 2022-05-25

Document ID: EDOC1100126883

Downloads: 31

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode