beautypg.com

Configuration prerequisites, Configuration guidelines, Configuration procedure – H3C Technologies H3C S6300 Series Switches User Manual

Page 207

background image

192

Configuration prerequisites

Before you obtain local or peer certificates in online mode, specify the LDAP server for the PKI domain.
Before you obtain local or peer certificates in offline mode, complete the following tasks:

Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
available, display and copy the certificate contents to a file. Make sure the certificate is in PEM

format because certificates only in PEM format can be imported by this means.

To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be
carried in the local or peer certificate. If not, obtain it first.

To import a local certificate containing an encrypted key pair, you must provide the challenge
password. Contact the CA server administrator, if necessary.

Configuration guidelines

If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a new

one, use pki delete-certificate to remove the CA certificate and local certificates, and then obtain

the CA certificate.

If a PKI domain already has local or peer certificates, you can still perform the obtain operation,
and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domain

can have two local certificates, one for signature and the other for encryption.

If CRL checking is enabled, CRL checking is triggered when you obtain a certificate. If the certificate
to be obtained has been revoked, the certificate cannot be obtained.

The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA

server.

Configuration procedure

To obtain certificates:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Import or obtain certificates.

Import certificates in offline mode:

pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local

filename filename | pem { ca | local | peer }

[ filename filename ] }

Obtain certificates in online mode:

pki retrieve-certificate domain

domain-name { ca | local | peer

entity-name }

The pki
retrieve-certificate

command is not saved
in the configuration

file.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: