Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X_Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 15-PKI Commands | 150.36 KB |
Contents
display pki certificate access-control-policy
display pki certificate attribute-group
pki certificate access-control-policy
pki certificate attribute-group
pki request-certificate domain
attribute
Syntax
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value
undo attribute { id | all }
View
Certificate attribute group view
Default level
2: System level
Parameters
id: Sequence number of the certificate attribute rule, in the range 1 to 16.
alt-subject-name: Specifies the name of the alternative certificate subject.
fqdn: Specifies the FQDN of the entity.
ip: Specifies the IP address of the entity.
issuer-name: Specifies the name of the certificate issuer.
subject-name: Specifies the name of the certificate subject.
dn: Specifies the distinguished name of the entity.
ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Value of the certificate attribute, a case-insensitive string of 1 to 128 characters.
all: Specifies all certificate attributes.
Description
Use the attribute command to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.
Use the undo attribute command to delete the attribute rules of one or all certificates.
By default, no restriction exists on the issuer name, subject name, and alternative subject name of a certificate.
The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore the dn keyword is not available for the attribute.
Examples
# Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc
# Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc
# Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1
ca identifier
Syntax
ca identifier name
undo ca identifier
View
PKI domain view
Default level
2: System level
Parameters
name: Name of the trusted CA, a case-insensitive string of 1 to 63 characters.
Description
Use the ca identifier command to specify the trusted CA and bind the device with the CA.
Use the undo ca identifier command to remove the configuration.
By default, no trusted CA is specified for a PKI domain.
Certificate request, retrieval, revocation, and query all depend on the trusted CA.
Examples
# Specify the trusted CA as new-ca.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier new-ca
certificate request entity
Syntax
certificate request entity entity-name
undo certificate request entity
View
PKI domain view
Default level
2: System level
Parameters
entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters.
Description
Use the certificate request entity command to specify the entity for certificate request.
Use the undo certificate request entity command to remove the configuration.
By default, no entity is specified for certificate request.
Related commands: pki entity.
Examples
# Specify the entity for certificate request as entity1.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request entity entity1
certificate request from
Syntax
certificate request from { ca | ra }
undo certificate request from
View
PKI domain view
Default level
2: System level
Parameters
ca: Indicates that the entity requests a certificate from a CA.
ra: Indicates that the entity requests a certificate from an RA.
Description
Use the certificate request from command to specify the authority for certificate request.
Use the undo certificate request from command to remove the configuration.
By default, no authority is specified for certificate request.
Examples
# Specify that the entity requests a certificate from the CA.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request from ca
certificate request mode
Syntax
certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual }
undo certificate request mode
View
PKI domain view
Default level
2: System level
Parameters
auto: Requests a certificate in auto mode.
key-length: Length of the RSA keys in bits, in the range 512 to 2048. It is 1024 bits by default.
cipher: Displays the password in cipher text.
simple: Displays the password in clear text.
password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
manual: Requests a certificate in manual mode.
Description
Use the certificate request mode command to set the certificate request mode.
Use the undo certificate request mode command to restore the default.
By default, manual mode is used.
In auto mode, an entity automatically requests a certificate from an RA or CA when it has no certificate. However, if the certificate will expire or has expired, the entity does not initiate a re-request automatically. To have a new local certificate, you need to request one manually. In manual mode, all operations associated with certificate request are carried out manually.
Related commands: pki request-certificate.
Examples
# Specify to request a certificate in auto mode.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request mode auto
certificate request polling
Syntax
certificate request polling { count count | interval minutes }
undo certificate request polling { count | interval }
View
PKI domain view
Default level
2: System level
Parameters
count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range 1 to 100.
interval minutes: Specifies the polling interval in minutes, in the range 5 to 168.
Description
Use the certificate request polling command to specify the certificate request polling interval and attempt limit.
Use the undo certificate request polling command to restore the defaults.
By default, the polling is executed every 20 minutes for up to 50 times.
After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.
Related commands: display pki certificate.
Examples
# Specify the polling interval as 15 minutes and the maximum number of attempts as 40.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request polling interval 15
[Sysname-pki-domain-1] certificate request polling count 40
certificate request url
Syntax
certificate request url url-string
undo certificate request url
View
PKI domain view
Default level
2: System level
Parameters
url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.
Description
Use the certificate request url command to specify the URL of the server for certificate request through SCEP.
Use the undo certificate request url command to remove the configuration.
By default, no URL is specified for a PKI domain.
Examples
# Specify the URL of the server for certificate request.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll
common-name
Syntax
common-name name
undo common-name
View
PKI entity view
Default level
2: System level
Parameters
name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description
Use the common-name command to configure the common name of an entity, which can be, for example, the user name.
Use the undo common-name command to remove the configuration.
By default, no common name is specified.
Examples
# Configure the common name of an entity as test.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] common-name test
country
Syntax
country country-code-str
undo country
View
PKI entity view
Default level
2: System level
Parameters
country-code-str: Country code for the entity, a 2-character case-insensitive string.
Description
Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China.
Use the undo country command to remove the configuration.
By default, no country code is specified.
Examples
# Set the country code of an entity to CN.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] country CN
crl check
Syntax
crl check { disable | enable }
View
PKI domain view
Default level
2: System level
Parameters
disable: Disables CRL checking.
enable: Enables CRL checking.
Description
Use the crl check command to enable or disable CRL checking.
By default, CRL checking is enabled.
CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl check disable
crl update-period
Syntax
crl update-period hours
undo crl update-period
View
PKI domain view
Default level
2: System level
Parameters
hours: CRL update period in hours, in the range 1 to 720.
Description
Use the crl update-period command to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server.
Use the undo crl update-period command to restore the default.
By default, the CRL update period depends on the next update field in the CRL file.
Examples
# Set the CRL update period to 20 hours.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl update-period 20
crl url
Syntax
crl url url-string
undo crl url
View
PKI domain view
Default level
2: System level
Parameters
url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 127 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address and does not support domain name resolution.
Description
Use the crl url command to specify the URL of the CRL distribution point.
Use the undo crl url command to remove the configuration.
By default, no CRL distribution point URL is specified.
When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.
Examples
# Specify the URL of the CRL distribution point.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0.30
display pki certificate
Syntax
display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
ca: Displays the CA certificate.
local: Displays the local certificate.
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
request-status: Displays the status of a certificate request.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display pki certificate command to display the contents or request status of a certificate.
Related commands: certificate request polling, pki domain, and pki retrieval-certificate.
Examples
# Display the local certificate.
<Sysname> display pki certificate local domain 1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10B7D4E3 00010000 0086
Signature Algorithm: md5WithRSAEncryption
Issuer:
C=CN
ST=Country A
L=City X
O=abc
OU=bjs
CN=new-ca
Validity
Not Before: Jan 13 08:57:21 2004 GMT
Not After : Jan 20 09:07:21 2005 GMT
Subject:
C=CN
ST=Country B
L=City Y
CN=pki test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00D41D1F …
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: hyf.xxyyzz.net
X509v3 CRL Distribution Points:
URI:http://1.1.1.1:447/myca.crl
… …
Signature Algorithm: md5WithRSAEncryption
A3A5A447 4D08387D …
|
Field |
Description |
|
Version |
Version of the certificate |
|
Serial Number |
Serial number of the certificate |
|
Signature Algorithm |
Signature algorithm |
|
Issuer |
Issuer of the certificate |
|
Validity |
Validity period of the certificate |
|
Subject |
Entity holding the certificate |
|
Subject Public Key Info |
Public key information of the entity |
|
X509v3 extensions |
Extensions of the X.509 (version 3) certificate |
|
X509v3 CRL Distribution Points |
Distribution points of X.509 (version 3) CRLs |
display pki certificate access-control-policy
Syntax
display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.
all: Specifies all certificate attribute-based access control policies.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display pki certificate access-control-policy command to display information about one or all certificate attribute-based access control policies.
Examples
# Display information about the certificate attribute-based access control policy named mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
access-control-policy name: mypolicy
rule 1 deny mygroup1
rule 2 permit mygroup2
Table 2 Output description
|
Field |
Description |
|
access-control-policy |
Name of the certificate attribute-based access control policy |
|
rule number |
Number of the access control rule |
display pki certificate attribute-group
Syntax
display pki certificate attribute-group { group-name | all } [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
group-name: Name of a certificate attribute group, a string of 1 to 16 characters.
all: Specifies all certificate attribute groups.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display pki certificate attribute-group command to display information about one or all certificate attribute groups.
Examples
# Display information about certificate attribute group mygroup.
<Sysname> display pki certificate attribute-group mygroup
attribute group name: mygroup
attribute 1 subject-name dn ctn abc
attribute 2 issuer-name fqdn nctn app
Table 3 Output description
|
Field |
Description |
|
attribute group name |
Name of the certificate attribute group |
|
attribute number |
Number of the attribute rule |
|
subject-name |
Name of the certificate subject |
|
dn |
DN of the entity |
|
ctn |
Indicates the contain operations |
|
abc |
Value of attribute 1 |
|
issuer-name |
Name of the certificate issuer |
|
fqdn |
FQDN of the entity |
|
nctn |
Indicates the not-contain operations |
|
app |
Value of attribute 2 |
display pki crl domain
Syntax
display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display pki crl domain command to display the locally saved CRLs.
Related commands: pki domain and pki retrieval-crl.
Examples
# Display the locally saved CRLs.
<Sysname> display pki crl domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=CN
O=abc
OU=soft
CN=A Test Root
Last Update: Jan 5 08:44:19 2004 GMT
Next Update: Jan 5 21:42:13 2004 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22 2004 GMT
CRL entry extensions:…
Serial Number: 05a278445E…
Revocation Date: Sep 7 12:33:22 2004 GMT
CRL entry extensions:…
Table 4 Output description
|
Field |
Description |
|
Version |
Version of the CRL |
|
Signature Algorithm |
Signature algorithm used by the CRLs |
|
Issuer |
CA issuing the CRLs |
|
Last Update |
Last update time |
|
Next Update |
Next update time |
|
CRL extensions |
Extensions of CRL |
|
X509v3 Authority Key Identifier |
CA issuing the CRLs. The certificate version is X.509 v3. |
|
keyid |
ID of the public key A CA might have multiple key pairs. This field indicates the key pair used by the CRL’s signature. |
|
Revoked Certificates |
Revoked certificates |
|
Serial Number |
Serial number of the revoked certificate |
|
Revocation Date |
Revocation date of the certificate |
|
CRL entry extensions |
Attributes of CRL entry extensions |
fqdn
Syntax
fqdn name-str
undo fqdn
View
PKI entity view
Default level
2: System level
Parameters
name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters.
Description
Use the fqdn command to configure the FQDN of an entity.
Use the undo fqdn command to remove the configuration.
By default, no FQDN is specified for an entity.
An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.
Examples
# Configure the FQDN of an entity as pki.domain-name.com.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] fqdn pki.domain-name.com
ip (PKI entity view)
Syntax
ip ip-address
undo ip
View
PKI entity view
Default level
2: System level
Parameters
ip-address: IP address for an entity.
Description
Use the ip command to configure the IP address of an entity.
Use the undo ip command to remove the configuration.
By default, no IP address is specified for an entity.
Examples
# Configure the IP address of an entity as 11.0.0.1.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] ip 11.0.0.1
ldap-server
Syntax
ldap-server ip ip-address [ port port-number ] [ version version-number ]
undo ldap-server
View
PKI domain view
Default level
2: System level
Parameters
ip-address: IP address of the LDAP server, in dotted decimal format.
port-number: Port number of the LDAP server, in the range 1 to 65535. The default is 389.
version-number: LDAP version number, either 2 or 3. By default, it is 2.
Description
Use the ldap-server command to specify an LDAP server for a PKI domain.
Use the undo ldap-server command to remove the configuration.
By default, no LDP server is specified for a PKI domain.
Examples
# Specify an LDAP server for PKI domain 1.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ldap-server ip 169.254.0.30
locality
Syntax
locality locality-name
undo locality
View
PKI entity view
Default level
2: System level
Parameters
locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description
Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name.
Use the undo locality command to remove the configuration.
By default, no geographical locality is specified for an entity.
Examples
# Configure the locality of an entity as city.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] locality city
organization
Syntax
organization org-name
undo organization
View
PKI entity view
Default level
2: System level
Parameters
org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description
Use the organization command to configure the name of the organization to which the entity belongs.
Use the undo organization command to remove the configuration.
By default, no organization name is specified for an entity.
Examples
# Configure the name of the organization to which an entity belongs as test-lab.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization test-lab
organization-unit
Syntax
organization-unit org-unit-name
undo organization-unit
View
PKI entity view
Default level
2: System level
Parameters
org-unit-name: Organization unit name for distinguishing different units in an organization, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description
Use the organization-unit command to specify the name of the organization unit to which this entity belongs.
Use the undo organization-unit command to remove the configuration.
By default, no organization unit name is specified for an entity.
Examples
# Configure the name of the organization unit to which an entity belongs as group1.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization-unit group1
pki certificate access-control-policy
Syntax
pki certificate access-control-policy policy-name
undo pki certificate access-control-policy { policy-name | all }
View
System view
Default level
2: System level
Parameters
policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al”, or “all”.
all: Specifies all certificate attribute-based access control policies.
Description
Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view.
Use the undo pki certificate access-control-policy command to remove one or all certificate attribute-based access control policies.
No access control policy exists by default.
Examples
# Configure an access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]
pki certificate attribute-group
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group { group-name | all }
View
System view
Default level
2: System level
Parameters
group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al”, or “all”.
all: Specifies all certificate attribute groups.
Description
Use the pki certificate attribute-group command to create a certificate attribute group and enter its view.
Use the undo pki certificate attribute-group command to delete one or all certificate attribute groups.
By default, no certificate attribute group exists.
Examples
# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]
pki delete-certificate
Syntax
pki delete-certificate { ca | local } domain domain-name
View
System view
Default level
2: System level
Parameters
ca: Deletes the locally stored CA certificate.
local: Deletes the locally stored local certificate.
domain-name: Name of the PKI domain whose certificates will be deleted, a string of 1 to 15 characters.
Description
Use the pki delete-certificate command to delete the certificate locally stored for a PKI domain.
Examples
# Delete the local certificate for PKI domain cer.
<Sysname> system-view
[Sysname] pki delete-certificate local domain cer
pki domain
Syntax
pki domain domain-name
undo pki domain domain-name
View
System view
Default level
2: System level
Parameters
domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters.
Description
Use the pki domain command to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain.
Use the undo pki domain command to remove a PKI domain.
By default, no PKI domain exists.
Examples
# Create a PKI domain and enter its view.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1]
pki entity
Syntax
pki entity entity-name
undo pki entity entity-name
View
System view
Default level
2: System level
Parameters
entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters.
Description
Use the pki entity command to create a PKI entity and enter its view.
Use the undo pki entity command to remove a PKI entity.
By default, no entity exists.
You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.
Examples
# Create a PKI entity named en and enter its view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]
pki import-certificate
Syntax
pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]
View
System view
Default level
2: System level
Parameters
ca: Specifies the CA certificate.
local: Specifies the local certificate.
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
der: Specifies the certificate format of DER.
p12: Specifies the certificate format of P12.
pem: Specifies the certificate format of PEM.
filename filename: Specifies the name of the certificate file, a case-insensitive string of 1 to 127 characters. It defaults to domain-name_ca.cer, domain-name_local.cer, or domain-name_peerentity_entity-name.cer, the name for the file to be created to save the imported certificate.
Description
Use the pki import-certificate command to import a CA certificate or local certificate from a file and save it locally.
Related commands: pki domain.
Examples
# Import the CA certificate for PKI domain cer in the format of PEM.
<Sysname> system-view
[Sysname] pki import-certificate ca domain cer pem
pki request-certificate domain
Syntax
pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]
View
System view
Default level
2: System level
Parameters
domain-name: Name of the PKI domain name, a string of 1 to 15 characters.
password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.
pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
filename filename: Specifies the name of the local file for saving the PKCS#10 certificate request, a case-insensitive string of 1 to 127 characters.
Description
Use the pki request-certificate domain command to request a local certificate from a CA through SCEP. If SCEP fails, you can use the pkcs10 keyword to print the request information in BASE64 format, or use the pkcs10 filename filename option to save the request information to a local file and send the file to the CA by an out-of-band means.
This operation will not be saved in the configuration file.
Related commands: pki domain.
Examples
# Display the PKCS#10 certificate request information.
<Sysname> system-view
[Sysname] pki request-certificate domain 1 pkcs10
-----BEGIN CERTIFICATE REQUEST-----
MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5
ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ
JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c
-----END CERTIFICATE REQUEST-----
pki retrieval-certificate
Syntax
pki retrieval-certificate { ca | local } domain domain-name
View
System view
Default level
2: System level
Parameters
ca: Retrieves the CA certificate.
local: Retrieves the local certificate.
domain-name: Name of the PKI domain used for certificate request.
Description
Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate distribution.
Related commands: pki domain.
Examples
# Retrieve the CA certificate from the certificate issuing server.
<Sysname> system-view
[Sysname] pki retrieval-certificate ca domain 1
pki retrieval-crl domain
Syntax
pki retrieval-crl domain domain-name
View
System view
Default level
2: System level
Parameters
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
Description
Use the pki retrieval-crl domain command to retrieve the latest CRLs from the server for CRL distribution.
CRLs help verify the validity of certificates.
Related commands: pki domain.
Examples
# Retrieve CRLs.
<Sysname> system-view
[Sysname] pki retrieval-crl domain 1
pki validate-certificate
Syntax
pki validate-certificate { ca | local } domain domain-name
View
System view
Default level
2: System level
Parameters
ca: Verifies the CA certificate.
local: Verifies the local certificate.
domain-name: Name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.
Description
Use the pki validate-certificate command to verify the validity of a certificate.
The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.
Related commands: pki domain.
Examples
# Verify the validity of the local certificate.
<Sysname> system-view
[Sysname] pki validate-certificate local domain 1
root-certificate fingerprint
Syntax
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
View
PKI domain view
Default level
2: System level
Parameters
md5: Uses an MD5 fingerprint.
sha1: Uses a SHA1 fingerprint.
string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal.
Description
Use the root-certificate fingerprint command to configure the fingerprint to be used for verifying the validity of the CA root certificate.
Use the undo root-certificate fingerprint command to remove the configuration.
By default, no fingerprint is configured for verifying the validity of the CA root certificate.
Examples
# Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E
# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.
[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
rule (PKI CERT ACP view)
Syntax
rule [ id ] { deny | permit } group-name
undo rule { id | all }
View
PKI certificate access control policy view
Default level
2: System level
Parameters
id: Number of the certificate attribute access control rule, in the range 1 to 16. The default is the smallest unused number in this range.
deny: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered invalid and denied.
permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered valid and permitted.
group-name: Name of the certificate attribute group to be associated with the rule, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al”, or “all”.
all: Specifies all access control rules.
Description
Use the rule command to create a certificate attribute access control rule.
Use the undo rule command to delete one or all access control rules.
By default, no access control rule exists.
A certificate attribute group must exist to be associated with a rule.
Examples
# Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
state
Syntax
state state-name
undo state
View
PKI entity view
Default level
2: System level
Parameters
state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description
Use the state command to specify the name of the state or province where an entity resides.
Use the undo state command to remove the configuration.
By default, no state or province is specified.
Examples
# Specify the state where an entity resides.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] state country
