PKI
- PKI/4/GETTING_CA_CERT
- PKI/4/CA_IMPORT_ERR
- PKI/4/CA_IMPORT_OK
- PKI/4/CA_WILL_EXPIRED
- PKI/4/CA_EXPIRED
- PKI/4/CA_VALID
- PKI/4/GETTING_CERT
- PKI/4/CLEAR_ALL_KEY
- PKI/4/CMP_UPDATE_LOCAL_CERT_ERR
- PKI/5/CMP_UPDATE_LOCAL_CERT_OK
- PKI/5/CONFIRM_NO_CHECK_ALG
- PKI/5/CONFIRM_NO_CHECK_VALIDATE
- PKI/5/CONFIRM_COVER_OCSP_CERT
- PKI/5/CONFIRM_COVER_PEER_CERT
- PKI/5/CONFIRM_CREATE_CERT
- PKI/5/CONFIRM_DESTROY_RSA
- PKI/5/CONFIRM_EXPORT_KEYPAIR
- PKI/5/CONFIRM_FINGERPRINT
- PKI/5/CONFIRM_OVERWRITE_FILE
- PKI/5/CONFIRM_OVERWRITE_RSA
- PKI/4/CRL_IMPORT_ERR
- PKI/4/CRL_IMPORT_OK
- PKI/4/CRL_WILL_EXPIRED
- PKI/4/CRL_EXPIRED
- PKI/4/CRL_VALID
- PKI/4/DEL_CA_ERR
- PKI/4/DEL_CA_OK
- PKI/4/DEL_CRL_OK
- PKI/4/DEL_CRL_ERR
- PKI/4/DEL_LOCAL_ERR
- PKI/4/DEL_LOCAL_OK
- PKI/4/DEL_OCSP_ERR
- PKI/4/DEL_OCSP_OK
- PKI/4/DEL_PEER_ERR
- PKI/4/DEL_PEER_OK
- PKI/4/CA_EXPORT_ERR
- PKI/4/CA_EXPORT_OK
- PKI/4/LOCAL_EXPORT_ERR
- PKI/4/LOCAL_EXPORT_OK
- PKI/4/GET_CA_CERT_ERR
- PKI/5/GET_CA_CERT_OK
- PKI/4/GET_CA_CHAIN_ERR
- PKI/4/GET_CERT_ERR
- PKI/5/GET_CERT_OK
- PKI/4/GETTING_CRL
- PKI/4/GET_CRL_ERR
- PKI/5/GET_CRL_OK
- PKI/5/GET_LOCAL_CERT_OK
- PKI/4/GET_LOCAL_CERT_ERR
- PKI/4/HTTP_AUTO_GET_CRL_ERR
- PKI/4/HTTP_GET_CERT_ERR
- PKI/4/HTTP_GET_CRL_ERR
- PKI/4/KEY_IMPORT_FAILED
- PKI/4/KEY_IMPORT_OK
- PKI/4/GETTING_LOCAL_CERT
- PKI/4/LOCAL_IMPORT_ERR
- PKI/4/LOCAL_IMPORT_OK
- PKI/4/LOCAL_WILL_EXPIRED
- PKI/4/LOCAL_EXPIRED
- PKI/4/LOCAL_VALID
- PKI/4/GET_CRL_ERR
- PKI/5/GET_CRL_OK
- PKI/4/OCSP_IMPORT_ERR
- PKI/4/OCSP_IMPORT_OK
- PKI/4/PEER_IMPORT_ERR
- PKI/4/PEER_IMPORT_OK
- PKI/4/RSA_CREATE
- PKI/4/RSA_CREATE_FAILED
- PKI/4/RSA_CREATE_OK
- PKI/4/RSA_DESTROY
- PKI/4/RSA_DESTROY_FAILED
- PKI/4/RSA_DESTROY_SUCCEED
- PKI/4/RSA_REPLACE
- PKI/4/RSA_SAVE_FAILED
- PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR
- PKI/5/SCEP_UPDATE_LOCAL_CERT_OK
- PKI/4/YANG_CERT_UPDATE_ERR
- PKI/4/YANG_CERT_UPDATE_OK
PKI/4/GETTING_CA_CERT
PKI/4/CA_IMPORT_ERR
Possible Causes
- The certificate file does not exist.
- The certificate file name is invalid.
- The certificate format is incorrect.
- The certificate storage path is incorrect.
- The same certificate exists on the device.
Procedure
- Run the display pki certificate filename file-name to check whether the certificate exists.
If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
If so, go to step 2.
- Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
- Run the pki import-certificate ca command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
- Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
- Run the display pki certificate ca command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
- Collect required information and contact technical support personnel.
PKI/4/CA_WILL_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
subject_name |
Specifies the subject of a CA certificate. |
day |
Specifies the validity period of the CA certificate. |
Procedure
- Apply for certificates online using SCEP or CMPv2.
If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- Apply for certificates offline.
Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.
PKI/4/CA_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
subject_name |
Specifies the subject of a CA certificate. |
day |
Specifies the number of days after a CA certificate expired. |
Possible Causes
- The certificate failed to be updated automatically.
- The certificate was not updated manually.
Procedure
- Apply for certificates online using SCEP or CMPv2.
If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- Apply for certificates offline.
Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.
PKI/4/CA_VALID
PKI/4/GETTING_CERT
PKI/4/CLEAR_ALL_KEY
Message
PKI/4/CLEAR_ALL_KEY: PKI was notified to clear all [string] in the device (Reason=[reason]).
Parameters
Parameter Name | Parameter Meaning |
---|---|
string |
Specifies the key pair or certificate file name. |
reason |
Specifies the deletion reasons:
|
PKI/4/CMP_UPDATE_LOCAL_CERT_ERR
Message
PKI/4/CMP_UPDATE_LOCAL_CERT_ERR: Updating the local certificate ([certificate-name]) through CMPv2 failed.
Parameters
Parameter Name | Parameter Meaning |
---|---|
certificate-name |
Specifies the name of a local certificate file. |
Procedure
- Check whether the route between the device and CMPv2 server is reachable using the ping function.
- If the route between them is reachable, go to step 2.
- If the route between them is unreachable, rectify the route and link fault to ensure a reachable route.
- Check whether the PKI configuration on the CMPv2 server is correct. The configuration includes the URL and CA name.
- If the configuration is incorrect, correct the configuration.
- If the configuration is correct, go to step 3.
- Collect log and configuration information, and contact technical support personnel.
PKI/5/CMP_UPDATE_LOCAL_CERT_OK
Message
PKI/5/CMP_UPDATE_LOCAL_CERT_OK: Updating the local certificate ([certificate-name]) through CMPv2 succeeded.
Parameters
Parameter Name | Parameter Meaning |
---|---|
certificate-name | Indicates the name of a local certificate. |
PKI/5/CONFIRM_NO_CHECK_ALG
Message
PKI/5/CONFIRM_NO_CHECK_ALG: The user chose [string] when deciding whether to import unsafe certificate.
Parameters
Parameter Name | Parameter Meaning |
---|---|
string |
Specifies whether the user chooses to import an insecure certificate: Y/N. |
PKI/5/CONFIRM_NO_CHECK_VALIDATE
Message
PKI/5/CONFIRM_NO_CHECK_VALIDATE: The user chose [string] when deciding whether to import expired certificate.
Parameters
Parameter Name | Parameter Meaning |
---|---|
string |
Specifies whether the user chooses to import an expired certificate: Y/N. |
PKI/5/CONFIRM_COVER_OCSP_CERT
Message
PKI/5/CONFIRM_COVER_OCSP_CERT: The user chose [string] when deciding whether to cover the old OCSP certificate with the new one.
Parameters
Parameter Name | Parameter Meaning |
---|---|
string | Indicates the operation chosen by the user:
|
PKI/5/CONFIRM_COVER_PEER_CERT
Message
PKI/5/CONFIRM_COVER_PEER_CERT: The user chose [string] when deciding whether to cover the old peer certificate with the new one.
Parameters
Parameter Name | Parameter Meaning |
---|---|
string | Indicates the operation chosen by the user:
|
PKI/5/CONFIRM_CREATE_CERT
PKI/5/CONFIRM_DESTROY_RSA
PKI/5/CONFIRM_EXPORT_KEYPAIR
PKI/5/CONFIRM_FINGERPRINT
PKI/5/CONFIRM_OVERWRITE_FILE
PKI/5/CONFIRM_OVERWRITE_RSA
PKI/4/CRL_IMPORT_ERR
Possible Causes
- The CRL file does not exist.
- The CRL file name is invalid.
- The CRL file format is incorrect.
- The CRL file storage path is incorrect.
Procedure
- Run the display pki crl filename file-name to check whether the CRL file exists.
- If not, use methods such as SFTP to upload the CRL file to the storage medium of the device.
- If so, go to step 2.
- Check whether the CRL file name meets requirements.
- If not, change the CRL file name in accordance with requirements.
- If so, go to step 3.
- Check whether the CRL file format is correct.
- If not, use the CRL file format supported by the device, for example, DER and PEM.
- If so, go to step 4.
- Run the dir and display pki credential-storage-path commands in the user view to check whether the CRL file storage path is the same as the default storage path of the CRL file.
- If not, save the CRL file to the default storage path.
- If so, go to step 5.
- Collect required information and contact technical support personnel.
PKI/4/CRL_WILL_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
issuer_name |
Specifies the name of the CRL issuer. |
day |
Specifies the validity period of the CRL. |
Procedure
- Automatic CRL update
- Manual CRL update
- Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
- Run the pki import-crl command in the system view to import the CRL to the device memory.
PKI/4/CRL_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
issuer_name |
Specifies the name of the CRL issuer. |
day |
Specifies the number of days after the CRL expired. |
Procedure
- Automatic CRL update
- Manual CRL update
- Select the manual CRL update mode based on the service modes provided by CA and supported by the device, for example, run the pki http command in the system view to download a CRL using HTTP.
- Run the pki import-crl command in the system view to import the CRL to the device memory.
PKI/4/CRL_VALID
PKI/4/DEL_CA_ERR
Procedure
- Run the display pki certificate ca to check whether the CA certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
- Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/DEL_LOCAL_ERR
Possible Causes
- The local certificate does not exist.
- The local certificate is being used by services.
Procedure
- Run the display pki certificate local to check whether the local certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
- Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/DEL_OCSP_ERR
Procedure
- Run the display pki certificate ocsp to check whether the OCSP certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
- Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/DEL_PEER_ERR
Procedure
- Run the display pki peer-certificate to check whether the peer certificate exists.
- If not, confirm whether to delete another certificate.
- If so, go to step 2.
- Check whether this certificate is being used by services.
- If so, ensure that this certificate is not being used by services before deleting the certificate.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/CA_EXPORT_ERR
Procedure
- Run the display pki certificate ca to check whether the CA certificate exists.
- If not, obtain a CA certificate from the CA.
- If so, go to step 2.
- Run the dir command in the user view to check whether the storage space of the device is full.
- If so, delete unnecessary files to clear the storage space.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/LOCAL_EXPORT_ERR
Possible Causes
The local certificate does not exist.
The storage space is full.
No private key file name is entered when the local certificate is being exported.
The entered private key password does not meet requirements when the local certificate is being exported.
Procedure
- Run the display pki certificate local to check whether the local certificate exists.
- If not, obtain or apply for a CA certificate from the CA.
- If so, go to step 2.
- Run the dir command in the user view to check whether the storage space of the device is full.
- If so, delete unnecessary files to clear the storage space.
- If not, go to step 3.
- Check whether the private key file name and password need to be entered when exporting the local certificate.
- If so, enter the private key file name and password as required.
- If not, go to step 4.
- Collect required information and contact technical support personnel.
PKI/4/GET_CA_CERT_ERR
Parameters
Parameter Name | Parameter Meaning |
---|---|
realm_name |
Specifies the name of a PKI realm. |
protocol |
Specifies the protocol type as SCEP. |
Possible Causes
- The link between the device and CA server is Down.
- The CA server is not working properly.
- The PKI configuration is incorrect.
Procedure
- Run the ping command to check whether the link between the device and CA server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Check whether the CA server is working properly.
- If not, ensure that the CA server has the certificate service enabled and is working properly.
- If so, go to step 3.
- Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
- Collect required information and contact technical support personnel.
PKI/5/GET_CA_CERT_OK
PKI/4/GET_CA_CHAIN_ERR
Message
PKI/4/GET_CA_CHAIN_ERR: Realm [realm-name] failed to obtain the CA certificate chain through [protocol].
Parameters
Parameter Name | Parameter Meaning |
---|---|
realm-name |
Specifies the name of a PKI realm. |
protocol |
Specifies the protocol type as SCEP. |
Possible Causes
- The link between the device and CA server is Down.
- The PKI configuration is incorrect.
- The storage space is insufficient.
- The CA server is not working properly.
- The CA server does not support the function of obtaining the CA certificate chain.
- The CA certificate chain file does not exist in the CA server.
Procedure
- Run the ping command to check whether the link between the device and certificate server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not go to step 3.
- Run the display pki realm command in any view to check whether the PKI configurations are correct, including the CA associated with the PKI realm, CA certificate subject name, URL, and digital fingerprint algorithm of the CA certificate.
- If not, modify the configurations to ensure that they are correct.
- If so, go to step 4.
- Check whether the certificate function of the CA server is valid.
- If not, ensure that the certificate function of the CA server is valid and the CA server supports the function of obtaining the CA certificate chain. If the CA does not support the function of obtaining the CA certificate chain, manually download the CA certificate chain to the device.
- If so, go to step 5.
- Check whether the CA certificate chain file exists in the CA server.
- If not, ensure that the CA certificate chain file exists in the CA server.
- If so, go to step 6.
- Collect required information and contact technical support personnel.
PKI/4/GET_CERT_ERR
Parameters
Parameter Name | Parameter Meaning |
---|---|
file_name | Specifies the name of a certificate file. |
protocol | Specifies the protocol type: SCEP. |
Possible Causes
- The link between the device and certificate server is Down.
- The certificate server is not working properly.
- The SCEP configuration is incorrect.
Procedure
- Run the ping command to check whether the link between the device and certificate server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Check whether the certificate server is working properly.
- If not, ensure that the certificate server has the certificate service enabled and is working properly.
- If so, go to step 3.
- Check whether the SCEP configuration is correct, for example, the URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
- Collect required information and contact technical support personnel.
PKI/5/GET_CERT_OK
PKI/4/GETTING_CRL
PKI/4/GET_CRL_ERR
Parameters
Parameter Name | Parameter Meaning |
---|---|
realm_name | Specifies the name of a PKI realm. |
protocol | Specifies the protocol type: SCEP. |
Possible Causes
- The link between the device and CRL server is Down.
- The CRL server is not working properly.
- The PKI configuration is incorrect.
Procedure
- Run the ping command to check whether the link between the device and CRL server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Check whether the CRL server is working properly.
- If not, ensure that the CRL server has the CRL service enabled and is working properly.
- If so, go to step 3.
- Check whether the PKI configuration is correct, including the URL of the CDP and CRL update mode.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
- Collect required information and contact technical support personnel.
PKI/5/GET_CRL_OK
PKI/5/GET_LOCAL_CERT_OK
PKI/4/GET_LOCAL_CERT_ERR
Message
PKI/4/GET_LOCAL_CERT_ERR: Realm [realm_name] failed to get local certificate through [protocol].
Parameters
Parameter Name | Parameter Meaning |
---|---|
realm_name |
Specifies the name of a PKI realm. |
protocol |
Specifies the protocol type as SCEP. |
Possible Causes
- The link between the device and CA server is Down.
- The CA server is not working properly.
- No CA and RA certificates are installed on the device.
- The PKI configuration is incorrect.
Procedure
- Run the ping command to check whether the link between the device and CA server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Check whether the CA server is working properly.
- If not, ensure that the CA server has the certificate service enabled and is working properly.
- If so, go to step 3.
- Check whether the CA and RA certificates have been installed.
- If not, install the CA and RA certificates and ensure that the certificates are within the validity period.
- If so, and the CA and RA certificates are not within the validity period, update the CA and RA certificates.
- If so, and the CA and RA certificates are within the validity period, go to step 4.
- Check whether the PKI configuration is correct, for example, certificate request signature algorithm, challenge password, CA ID, PKI entity common name, and CA server URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 5.
- Collect required information and contact technical support personnel.
PKI/4/HTTP_AUTO_GET_CRL_ERR
Message
PKI/4/HTTP_AUTO_GET_CRL_ERR: Realm [realm_name] failed to obtain CRL through HTTP (Reason=[reason]).
Parameters
Parameter Name | Parameter Meaning |
---|---|
realm_name | Specifies the name of a PKI realm. |
reason | Indicates the failure cause. |
Possible Causes
- URL resolution failed: URL parsing failed.
- Failed to connect to the server: Connecting to the server failed.
- The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
- Failed to receive the response message: Failed to process the response received from the server.
- Failed to save the response message: Failed to save the response received from the server.
- The file has been imported or referenced for several times: The CRL file has been imported or referenced for several times.
Procedure
- Cause 1: URL resolution failed.
When downloading the CRL using the pki get-crl command, run the display pki realm command to check whether the URL meets requirements.
- If not, run the cdp-url command in the PKI realm view to change the URL.
- If so, collect required information and contact technical support personnel.
- Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
- Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the CRL service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
- Cause 4: Failed to receive the response message.
Check whether the CRL file of the server exists.
- If not, add the CRL file to ensure that the server can provide the CRL download function.
- If so, collect required information and contact technical support personnel.
- Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.
- Cause 6: The file has been imported or referenced for several times.
If the CRL file is being used by multiple PKI realms, the CRL file cannot be updated. To ensure that the CRL file can be updated automatically, ensure that the file is being used by only one PKI realm.
PKI/4/HTTP_GET_CERT_ERR
Message
PKI/4/HTTP_GET_CERT_ERR: Manually obtaining certificate [file_name] through HTTP failed (Reason=[reason]).
Parameters
Parameter Name | Parameter Meaning |
---|---|
file_name | Specifies the name of a certificate file. |
reason | Indicates the failure cause. |
Possible Causes
- URL resolution failed: URL parsing failed.
- Failed to connect to the server: Connecting to the server failed.
- The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
- Failed to receive the response message: Failed to process the response received from the server.
- Failed to save the response message: Failed to save the response received from the server.
Procedure
- Cause 1: URL resolution failed.
Check whether the URL specified using the pki http command meets requirements.
- If not, enter a correct URL when running the pki http command in the system view.
- If so, collect required information and contact technical support personnel.
- Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
- Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the certificate service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
- Cause 4: Failed to receive the response message.
Check whether the certificate file of the server exists.
- If not, add the certificate file to ensure that the server can provide the certificate download function.
- If so, collect required information and contact technical support personnel.
- Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.
PKI/4/HTTP_GET_CRL_ERR
Message
PKI/4/HTTP_GET_CRL_ERR: Manually obtaining CRL [file_name] through HTTP failed (Reason=[reason]).
Parameters
Parameter Name | Parameter Meaning |
---|---|
file_name | Specifies the CRL file name. |
reason | Indicates the failure cause. |
Possible Causes
- URL resolution failed: URL parsing failed.
- Failed to connect to the server: Connecting to the server failed.
- The server did not respond within the specified period: Failed to receive the response from the server within the specified period.
- Failed to receive the response message: Failed to process the response received from the server.
- Failed to save the response message: Failed to save the response received from the server.
Procedure
- Cause 1: URL resolution failed.
When downloading the CRL using the pki get-crl command, run the display pki realm command to check whether the URL meets requirements.
- If not, run the cdp-url command in the PKI realm view to change the URL.
- If so, collect required information and contact technical support personnel.
When downloading the CRL using the pki http command, check whether the URL meets requirements.
- If not, enter a correct URL when running the pki http command in the system view.
- If so, collect required information and contact technical support personnel.
- Cause 2: Failed to connect to the server.
Run the ping command to check whether the link between the device and server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, collect required information and contact technical support personnel.
- Cause 3: The server did not respond within the specified period.
Check whether the server is working properly.
- If not, ensure that the server has the CRL service enabled and is working properly.
- If so, collect required information and contact technical support personnel.
- Cause 4: Failed to receive the response message.
Check whether the CRL file of the server exists.
- If not, add the CRL file to ensure that the server can provide the CRL download function.
- If so, collect required information and contact technical support personnel.
- Cause 5: Failed to save the response message.
Run the dir command in the user view to check whether the storage space of the device is full.
- If so, run the delete command in the user view to delete unnecessary files.
- If not, collect required information and contact technical support personnel.
PKI/4/KEY_IMPORT_FAILED
PKI/4/KEY_IMPORT_OK
PKI/4/GETTING_LOCAL_CERT
PKI/4/LOCAL_IMPORT_ERR
Parameters
Parameter Name | Parameter Meaning |
---|---|
file_name |
Specifies the name of a local certificate file. |
Possible Causes
- The certificate file does not exist.
- The certificate file name is invalid.
- The certificate format is incorrect.
- The certificate storage path is incorrect.
- The same certificate exists on the device.
Procedure
- Run the display pki certificate filename file-name to check whether the certificate exists.
If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
If so, go to step 2.
- Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
- Run the pki import-certificate local command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
- Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
- Run the display pki certificate local command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
- Collect required information and contact technical support personnel.
PKI/4/LOCAL_IMPORT_OK
PKI/4/LOCAL_WILL_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
subject_name |
Specifies the subject of a local certificate. |
day |
Specifies the validity period of the local certificate. |
Procedure
- Apply for certificates online using SCEP or CMPv2.
If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- Apply for certificates offline.
Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.
PKI/4/LOCAL_EXPIRED
Parameters
Parameter Name | Parameter Meaning |
---|---|
subject_name |
Specifies the subject of a local certificate. |
day |
Specifies the number of days after a local certificate expired. |
Possible Causes
- The certificate failed to be updated automatically.
- The certificate was not updated manually.
Procedure
- Apply for certificates online using SCEP or CMPv2.
If the automatic certificate update function is configured, the device automatically updates certificates using SCEP or CMPv2 when the certificates are about to expire or have expired.
You need to ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
If the automatic certificate update function is not configured, and SCEP is used, run the pki enroll-certificate realm command in the system view to manually update the certificates. If CMPv2 is used, run the pki cmp keyupdate-request session command in the system view to manually update the certificates.
Ensure that the link between the device and CA server is reachable, the PKI configuration is correct, and the CA server is working properly.
- Apply for certificates offline.
Send the certificate request file to the CA server through the web system, disk, or email to apply for a CA certificate and local certificate.
Run the pki delete-certificate command in the system view to delete the old CA certificate and local certificate from the device memory.
Use methods such as SFTP to upload the obtained CA and local certificates to the storage medium of the device, and run the pki import-certificate command in the system view to import the certificates to the memory of the device.
PKI/4/LOCAL_VALID
PKI/4/GET_CRL_ERR
Parameters
Parameter Name | Parameter Meaning |
---|---|
file_name | Specifies the CRL file name. |
protocol | Specifies the protocol type: SCEP. |
Possible Causes
- The link between the device and CRL server is Down.
- The CRL server is not working properly.
- The SCE configuration is incorrect.
Procedure
- Run the ping command to check whether the link between the device and CRL server is reachable.
- If not, ensure that the network configurations, including interfaces and IP addresses, are correct.
- If so, go to step 2.
- Check whether the CRL server is working properly.
- If not, ensure that the CRL server has the CRL service enabled and is working properly.
- If so, go to step 3.
- Check whether the SCEP configuration is correct, for example, the URL.
- If not, modify the configuration to ensure that it is correct.
- If so, go to step 4.
- Collect required information and contact technical support personnel.
PKI/5/GET_CRL_OK
PKI/4/OCSP_IMPORT_ERR
Possible Causes
- The certificate file does not exist.
- The certificate file name is invalid.
- The certificate format is incorrect.
- The certificate storage path is incorrect.
- The same certificate exists on the device.
Procedure
- Run the display pki certificate filename file-name to check whether the certificate exists.
If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
If so, go to step 2.
- Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
- Run the pki import-certificate ocsp command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
- Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
- Run the display pki certificate ocsp command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki delete-certificate command in the system view to delete this certificate.
- If not, go to step 6.
- Collect required information and contact technical support personnel.
PKI/4/PEER_IMPORT_ERR
Possible Causes
- The certificate file does not exist.
- The certificate file name is invalid.
- The certificate format is incorrect.
- The certificate storage path is incorrect.
- The same certificate exists on the device.
Procedure
- Run the display pki certificate filename file-name to check whether the certificate exists.
If not, use methods such as SFTP to upload the certificate to the storage medium of the device.
If so, go to step 2.
- Check whether the imported certificate file name meets requirements.
- If not, change the certificate file name in accordance with requirements.
- If so, go to step 3.
- Run the pki import-certificate peer command to check whether the certificate format selected during certificate import is correct.
- If not, select the correct certificate format when importing the certificate.
- If so, go to step 4.
- Run the dir and display pki credential-storage-path commands in the user view to check whether the certificate storage path is the same as the default storage path of the certificate.
- If not, save the certificate to the default storage path.
- If so, go to step 5.
- Run the display pki peer-certificate command to check whether the same certificate has been installed on the device or whether the same issuer and subject certificates exist on the device.
- If so, run the pki release-certificate peer command in the system view to delete this certificate.
- If not, go to step 6.
- Collect required information and contact technical support personnel.
PKI/4/RSA_CREATE
PKI/4/RSA_CREATE_FAILED
PKI/4/RSA_CREATE_OK
PKI/4/RSA_DESTROY_FAILED
Parameters
Parameter Name | Parameter Meaning |
---|---|
key_type | Key pair type. |
key_name | Specifies the name of a key pair. |
Procedure
- Check whether the key pair exists on the device. For example, run the display pki rsa local-key-pair public command to view RSA key pair information.
- If not, confirm whether to delete another RSA key pair.
- If so, go to step 2.
- Check whether the key pair is being used by services. For example, check whether it is being referenced by the PKI realm.
- If so, ensure that the key pair is not used by any services.
- If not, go to step 3.
- Collect required information and contact technical support personnel.
PKI/4/RSA_DESTROY_SUCCEED
PKI/4/RSA_REPLACE
PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR
Message
PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR: Updating the local certificate ([certificate-name]) through SCEP failed.
Parameters
Parameter Name | Parameter Meaning |
---|---|
certificate-name | Indicates the name of a local certificate. |
Procedure
- Check whether the route between the device and CA server is reachable using the ping function.
- If the route between them is reachable, go to step 2.
- If the route between them is unreachable, rectify the route and link fault to ensure a reachable route.
- Check whether the PKI configuration on the CA server is correct. The configuration includes the URL, CA name, digest method used for the signed certificate enrollment requests, challenge password used in SCEP certificate application, and digital fingerprint of the CA certificate.
- If the configuration is incorrect, correct the configuration.
- If the configuration is correct, go to step 3.
- Collect log and configuration information, and contact technical support personnel.
PKI/5/SCEP_UPDATE_LOCAL_CERT_OK
Message
PKI/5/SCEP_UPDATE_LOCAL_CERT_OK: Updating the local certificate ([certificate-name]) through SCEP succeeded.
Parameters
Parameter Name | Parameter Meaning |
---|---|
certificate-name | Indicates the name of a local certificate. |
PKI/4/YANG_CERT_UPDATE_ERR
Message
PKI/4/YANG_CERT_UPDATE_ERR: Updating the [certificate-type] certificate (realm=[realm-name]) through controller failed (ReasonCode=[reason-code], Reason=[reason]).
Parameters
Parameter Name | Parameter Meaning |
---|---|
certificate-type |
Specifies the certificate type. |
realm-name |
Specifies the name of a PKI realm. |
reason-code |
Specifies the reason code of the certificate update failure:
|
reason |
Specifies the reason of the certificate update failure:
|
Procedure
- Invalid realm
Check whether the realm name is created or valid. For details about the PKI realm name specifications, see the pki realm command.
- Shadow certificate does not exist
Check whether the shadow certificate exists. If not, import it first.
- Refreshing certificate failed, Replacing key failed, Saving shadow certificate failed, Saving shadow key failed, Saving certificate file failed, or Importing key failed
Check whether the storage space on the device is full. If so, delete unnecessary files. If not, enable debugging of the PKI module in the user view and check debugging information to locate the fault, or contact technical support personnel.
- Certificate file does not exist or Replacing certificate does not exist
Check whether the certificate file or certificate has been imported to the storage media of the device.
- Parsing file content failed
Check whether file format is correct.
- Unsupported file format
The device does not support this file format. Import a certificate file in the PEM format.
- Getting key of certificate Failed
Check whether the key pair corresponding to the certificate has been imported.
- Importing certificate file failed
Check whether the number of certificates reaches the maximum. If so, delete unused certificates.
- Other reasons.
Contact technical support personnel.
PKI/4/YANG_CERT_UPDATE_OK
- PKI/4/GETTING_CA_CERT
- PKI/4/CA_IMPORT_ERR
- PKI/4/CA_IMPORT_OK
- PKI/4/CA_WILL_EXPIRED
- PKI/4/CA_EXPIRED
- PKI/4/CA_VALID
- PKI/4/GETTING_CERT
- PKI/4/CLEAR_ALL_KEY
- PKI/4/CMP_UPDATE_LOCAL_CERT_ERR
- PKI/5/CMP_UPDATE_LOCAL_CERT_OK
- PKI/5/CONFIRM_NO_CHECK_ALG
- PKI/5/CONFIRM_NO_CHECK_VALIDATE
- PKI/5/CONFIRM_COVER_OCSP_CERT
- PKI/5/CONFIRM_COVER_PEER_CERT
- PKI/5/CONFIRM_CREATE_CERT
- PKI/5/CONFIRM_DESTROY_RSA
- PKI/5/CONFIRM_EXPORT_KEYPAIR
- PKI/5/CONFIRM_FINGERPRINT
- PKI/5/CONFIRM_OVERWRITE_FILE
- PKI/5/CONFIRM_OVERWRITE_RSA
- PKI/4/CRL_IMPORT_ERR
- PKI/4/CRL_IMPORT_OK
- PKI/4/CRL_WILL_EXPIRED
- PKI/4/CRL_EXPIRED
- PKI/4/CRL_VALID
- PKI/4/DEL_CA_ERR
- PKI/4/DEL_CA_OK
- PKI/4/DEL_CRL_OK
- PKI/4/DEL_CRL_ERR
- PKI/4/DEL_LOCAL_ERR
- PKI/4/DEL_LOCAL_OK
- PKI/4/DEL_OCSP_ERR
- PKI/4/DEL_OCSP_OK
- PKI/4/DEL_PEER_ERR
- PKI/4/DEL_PEER_OK
- PKI/4/CA_EXPORT_ERR
- PKI/4/CA_EXPORT_OK
- PKI/4/LOCAL_EXPORT_ERR
- PKI/4/LOCAL_EXPORT_OK
- PKI/4/GET_CA_CERT_ERR
- PKI/5/GET_CA_CERT_OK
- PKI/4/GET_CA_CHAIN_ERR
- PKI/4/GET_CERT_ERR
- PKI/5/GET_CERT_OK
- PKI/4/GETTING_CRL
- PKI/4/GET_CRL_ERR
- PKI/5/GET_CRL_OK
- PKI/5/GET_LOCAL_CERT_OK
- PKI/4/GET_LOCAL_CERT_ERR
- PKI/4/HTTP_AUTO_GET_CRL_ERR
- PKI/4/HTTP_GET_CERT_ERR
- PKI/4/HTTP_GET_CRL_ERR
- PKI/4/KEY_IMPORT_FAILED
- PKI/4/KEY_IMPORT_OK
- PKI/4/GETTING_LOCAL_CERT
- PKI/4/LOCAL_IMPORT_ERR
- PKI/4/LOCAL_IMPORT_OK
- PKI/4/LOCAL_WILL_EXPIRED
- PKI/4/LOCAL_EXPIRED
- PKI/4/LOCAL_VALID
- PKI/4/GET_CRL_ERR
- PKI/5/GET_CRL_OK
- PKI/4/OCSP_IMPORT_ERR
- PKI/4/OCSP_IMPORT_OK
- PKI/4/PEER_IMPORT_ERR
- PKI/4/PEER_IMPORT_OK
- PKI/4/RSA_CREATE
- PKI/4/RSA_CREATE_FAILED
- PKI/4/RSA_CREATE_OK
- PKI/4/RSA_DESTROY
- PKI/4/RSA_DESTROY_FAILED
- PKI/4/RSA_DESTROY_SUCCEED
- PKI/4/RSA_REPLACE
- PKI/4/RSA_SAVE_FAILED
- PKI/4/SCEP_UPDATE_LOCAL_CERT_ERR
- PKI/5/SCEP_UPDATE_LOCAL_CERT_OK
- PKI/4/YANG_CERT_UPDATE_ERR
- PKI/4/YANG_CERT_UPDATE_OK