Solution, Failed to obtain local certificates, Symptom – H3C Technologies H3C S6300 Series Switches User Manual
Page 227: Analysis
212
•
The fingerprint information is illegal.
Solution
1.
Make sure the network connection is physically proper.
2.
Verify that the required configurations are correct.
3.
Use ping to verify that the registration server is reachable.
4.
Synchronize the system time of the device with the CA server.
5.
Specify the correct source IP address for PKI protocol packets that the CA server can accept.
6.
Verify the fingerprint information on the CA server.
Failed to obtain local certificates
Symptom
No local certificates can be obtained.
Analysis
•
The network connection is down.
•
No CA certificate has been obtained before you try to obtain local certificates.
•
The LDAP server is not configured or is incorrectly configured.
•
No key pair is specified for the PKI domain for certificate request, or the specified key pair does not
match the local certificates to the obtained.
•
The PKI domain does not reference the PKI entity configuration, or the PKI entity configuration is
incorrect.
•
CRL checking is enabled, but CRLs do not exist locally or CRLs cannot be obtained.
•
The PKI domain is not specified with the source IP address of the PKI protocol packets that the CA
server can accept, or it is specified with an incorrect one.
•
The system time of the device is not synchronized with the CA server.
Solution
1.
Make sure the network connection is physically proper.
2.
Obtain or import the CA certificate.
3.
Configure the correct LDAP server.
4.
Specify the key pair used for certificate request in the PKI domain, generate the proper key pair,
and make sure it matches the local certificates to the obtained.
5.
Reference the proper PKI entity in the PKI domain, and correctly configure the PKI entity.
6.
Obtain CRLs.
7.
Specify the correct source IP address for PKI protocol packets that the CA server can accept. For
the correct settings, contact the CA server administrator.
8.
Synchronize the system time of the device with the CA server.