PKI
This section describes the PKI configuration model and provides examples of packets.
Data Model
The PKI configuration model file is huawei-pki.yang.
Object |
Description |
Value Range |
Remarks |
|---|---|---|---|
/huawei-pki:certificate-operation |
Imports certificates. It is a root object, which is only used to contain sub-objects, but does not have any data meaning. |
- |
N/A |
/huawei-pki:certificate-operation/files/realm-name |
PKI realm name. Only the default realm is supported. |
- |
N/A |
/huawei-pki:certificate-operation/files/certificate-type |
Certificate type. Only CA and local certificates are supported. |
- |
N/A |
/huawei-pki:certificate-operation/files/file-name |
Certificate file name. |
The value is a string of 1 to 64 case-insensitive characters without spaces or question marks (?). |
N/A |
/huawei-pki:certificate-operation/files/file-format |
Certificate format. Only the PEM format is supported. |
- |
N/A |
/huawei-pki:certificate-operation/files/operation-type |
Certificate operation type. Only the import operation is supported. |
- |
N/A |
/huawei-pki:certificate-operation/files/password |
The password is required only for certificate import. |
The value is a string of 6 to 32 case-sensitive characters without question marks (?). |
N/A |
/huawei-pki:certificate-operation/files/vsys-name |
Name of a VS. If the root system is used, the name is public. |
- |
N/A |
/huawei-pki:certificate-replace |
Replaces certificates. It is a root object, which is only used to contain sub-objects, but does not have any data meaning. |
- |
N/A |
/huawei-pki:certificate-replace/files/realm-name |
PKI realm name. Only the default realm is supported. |
- |
N/A |
/huawei-pki:certificate-replace/files/certificate-type |
Certificate type. Only CA and local certificates are supported. |
- |
N/A |
/huawei-pki:certificate-replace/files/file-name |
Certificate file name. Only the PEM format is supported. |
The value is a string of 1 to 64 case-insensitive characters without spaces or question marks (?). |
N/A |
/huawei-pki:certificate-adoption/realms/certificate-expire-warning/start-timestamp |
Configures the expiry warning time of the local certificate and CA certificate stored to the device memory. |
The value is an integer that ranges from 7 to 180. The default value is 7. |
NA |
/huawei-pki:certificate-status-notification |
Reports an alarm when the certificate reaches the expiry time. |
- |
N/A |
Importing Certificates
This section describes how to import certificates using the RPC method.
Operation |
XPATH |
|---|---|
edit-config: default |
/huawei-pki:certificate-operation |
Data Requirements
Item |
Data |
Description |
|---|---|---|
Realm name |
default |
The local certificate file local.pem is imported to the default realm of the root system using the password huawei@1234. |
Certificate type |
local |
|
Certificate file name |
local.pem |
|
Certificate format |
PEM |
|
Certificate operation type |
import |
|
Password |
huawei@1234 |
|
Virtual system name |
public |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<pki:certificate-operation xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
<pki:files>
<pki:realm-name>default</pki:realm-name>
<pki:certificate-type>local</pki:certificate-type>
<pki:file-name>local.pem</pki:file-name>
<pki:file-format>pem</pki:file-format>
<pki:operation-type>import</pki:operation-type>
<pki:password>huawei@1234</pki:password>
<pki:vsys-name>public</pki:vsys-name>
</pki:files>
</pki:certificate-operation>
</rpc>
Response Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<errors>
<errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
<realm-name>default</realm-name>
<error-tag>0</error-tag>
<errors>
<errors>
</rpc-reply>
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
<errors>
<errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
<realm-name>default</realm-name>
<error-tag>1</error-tag>
<errors>
<errors>
</rpc-reply>
Response error-tag types:
- 0: Operation succeeded.
- 1: Operation failed.
- 2: The parameter is invalid.
- 3: The realm name is invalid.
- 4: The shadow certificate does not exist.
- 5: Failed to replace the certificate.
- 6: Failed to replace the key pair.
- 7: The imported file does not exist.
- 8: Failed to parse the imported file.
- 9: Unsupported file format.
- 10: The shadow certificate already exists.
- 11: Failed to save the shadow certificate.
- 12: Failed to search for the key pair based on certificate.
- 13: Failed to save the shadow key pair.
- 14: Failed to save the certificate file.
- 15: Failed to import certificate.
- 16: Failed to save the key pair.
- 17: Failed to save the certificate and key pair to the specified path.
- 18: The shadow certificate to be replaced does not exist.
- 19: The path for storing the certificate is invalid.
- 20: Unsupported operation.
- 21: Failed to search for the key pair written into the specified file.
- 22: Failed to save the certificate to the specified path.
- 23: The file name is too long.
Replacing Certificates
This section describes how to replace certificates using the RPC method.
Operation |
XPATH |
|---|---|
edit-config: default |
/huawei-pki:certificate-replace |
Data Requirements
Item |
Data |
Description |
|---|---|---|
Realm name |
default |
The local certificate file local1.pem is replaced in the default realm. |
Certificate type |
1 |
|
Certificate file name |
local1.pem |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<pki:certificate-replace xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
<pki:files>
<pki:realm-name>default</pki:realm-name>
<pki:certificate-type>local</pki:certificate-type>
<pki:file-name>local1.pem</pki:file-name>
</pki:files>
</pki:certificate-replace>
</rpc>
Response Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<errors>
<errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-replace">
<realm-name>default</realm-name>
<error-tag>0</error-tag>
<errors>
<errors>
</rpc-reply>
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<errors>
<errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-replace">
<realm-name>default</realm-name>
<error-tag>1</error-tag>
<errors>
<errors>
</rpc-reply>
Response error-tag types:
- 0: Operation succeeded.
- 1: Operation failed.
- 2: The parameter is invalid.
- 3: The realm name is invalid.
- 4: The shadow certificate does not exist.
- 5: Failed to replace the certificate.
- 6: Failed to replace the key pair.
- 7: The imported file does not exist.
- 8: Failed to parse the imported file.
- 9: Unsupported file format.
- 10: The shadow certificate already exists.
- 11: Failed to save the shadow certificate.
- 12: Failed to search for the key pair based on certificate.
- 13: Failed to save the shadow key pair.
- 14: Failed to save the certificate file.
- 15: Failed to import certificate.
- 16: Failed to save the key pair.
- 17: Failed to save the certificate and key pair to the specified path.
- 18: The shadow certificate to be replaced does not exist.
- 19: The path for storing the certificate is invalid.
- 20: Unsupported operation.
- 21: Failed to search for the key pair written into the specified file.
- 22: Failed to save the certificate to the specified path.
- 23: The file name is too long.
Configuring the Certificate Expiry Warning Time
This section provides the samples of packets for configuring the certificate expiry warning time using the merge method. The create method can also be used for the configuration of certificate expiry warning time.
Operation |
XPATH |
|---|---|
edit-config:merge |
/huawei-pki:certificate-adoption/realms/certificate-expire-warning |
Data Requirements
Item |
Data |
Description |
|---|---|---|
Realm name |
default |
The certificate expiry warning time in the default realm is set to 10 days. |
Certificate expiry warning time |
10 |
Request Example
<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<pki:certificate-adoption xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
<pki:realms>
<pki:name>default</pki:name>
<pki:certificate-expire-warning xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
<pki:start-timestamp>10</pki:start-timestamp>
</pki:certificate-expire-warning>
</pki:realms>
</pki:certificate-adoption>
</config>
</edit-config>
</rpc>
A sample of certificate expiry alarm
<eventTime>
2017-03-29 13:31:43
</eventTime>
<certificate-status-notification xmlns="urn:huawei:params:xml:ns:yang:huawei-pki">
<warning-records>
<realm-name>
default
</realm-name>
<certificate-type>
local
</certificate-type>
<subject-name>
//CN=50
</subject-name>
<certificate-begin-day>
2016-03-31 14:04:05
</certificate-end-day>
<certificate-begin-day>
2017-03-31 14:14:05
</certificate-end-day>
</warning-records>
</certificate-status-notification>
</notification>