The attribute of the alternative certificate subject name does not appear as a distinguished name. Therefore, the dn keyword is not available for the attribute.

Examples

# Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.

[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

ca identifier

Use ca identifier to specify the trusted CA and bind the device with the CA.

Use undo ca identifier to remove the configuration.

Syntax

ca identifier name

undo ca identifier

Default

No trusted CA is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

name: Specifies a trusted CA by its name, a case-sensitive string of 1 to 63 characters.

Usage guidelines

Certificate request, retrieval, revocation, and query depend on the trusted CA.

Examples

# Specify the trusted CA as new-ca.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier new-ca

certificate request entity

Use certificate request entity to specify the entity for certificate request.

Use undo certificate request entity to remove the configuration.

Syntax

certificate request entity entity-name

undo certificate request entity

Default

No entity is specified for certificate request.

Views

PKI domain view

Default command level

2: System level

Parameters

entity-name: Specifies an entity for certificate request by the entity name, a case-insensitive string of 1 to 15 characters.

Examples

# Specify the entity for certificate request as entity1.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request entity entity1

Related commands

pki entity

certificate request from

Use certificate request from to specify the authority for certificate request.

Use undo certificate request from to remove the configuration.

Syntax

certificate request from { ca | ra }

undo certificate request from

Default

No authority is specified for certificate request.

Views

PKI domain view

Default command level

2: System level

Parameters

ca: Indicates that the entity requests a certificate from a CA.

ra: Indicates that the entity requests a certificate from an RA.

Examples

# Specify that the entity requests a certificate from the CA.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request from ca

certificate request mode

Use certificate request mode to set the certificate request mode.

Use undo certificate request mode to restore the default.

Syntax

certificate request mode { auto [ key-length key-length | password { cipher | simple } password ] * | manual }

undo certificate request mode

Default

Manual mode is used.

Views

PKI domain view

Default command level

2: System level

Parameters

auto: Requests a certificate in auto mode.

key-length: Specifies the length of the RSA keys in bits, in the range of 512 to 2048. It is 1024 bits by default.

cipher: Sets a ciphertext password for certificate revocation.

simple: Sets a plaintext password for certificate revocation.

password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.

manual: Requests a certificate in manual mode.

Usage guidelines

In auto mode, an entity automatically requests a certificate from an RA or CA when it has no certificate. However, if the certificate will expire or has expired, the entity does not initiate a re-request automatically, in which case you need to request a new one manually. In manual mode, all operations associated with certificate request are performed manually.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Specify to request a certificate in auto mode.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request mode auto

Related commands

pki request-certificate

certificate request polling

Use certificate request polling to specify the certificate request polling interval and attempt limit.

Use undo certificate request polling to restore the defaults.

Syntax

certificate request polling { count count | interval minutes }

undo certificate request polling { count | interval }

Default

The polling is executed every 20 minutes for up to 50 times.

Views

PKI domain view

Default command level

2: System level

Parameters

count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100.

interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168.

Usage guidelines

After an applicant makes a certificate request, the CA might need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

Examples

# Set the polling interval to 15 minutes and the maximum number of attempts as 40.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request polling interval 15

[Sysname-pki-domain-1] certificate request polling count 40

Related commands

display pki certificate

certificate request url

Use certificate request url to specify the URL of the server for certificate request through SCEP.

Use undo certificate request url to remove the configuration.

Syntax

certificate request url url-string

undo certificate request url

Default

No URL is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

url-string: Specifies the URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http://server_location/ca_script_location, where server_location must be an IP address and does not support domain name resolution.

Examples

# Specify the URL of the server for certificate request.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll

common-name

Use common-name to configure the common name of an entity, which can be, for example, the user name.

Use undo common-name to remove the configuration.

Syntax

common-name name

undo common-name

Default

No common name is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

name: Specifies the common name for an entity, a case-insensitive string of 1 to 31 characters. Commas cannot be included.

Examples

# Configure the common name of an entity as test.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] common-name test

country

Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code. For example, CN represents China.

Use undo country to remove the configuration.

Syntax

country country-code-str

undo country

Default

No country code is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

country-code-str: Specifies the country code for the entity, a case-insensitive string of two characters.

Examples

# Set the country code of an entity to CN.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] country CN

crl check

Use crl check to enable or disable CRL checking.

Syntax

crl check { disable | enable }

Default

CRL checking is enabled.

Views

PKI domain view

Default command level

2: System level

Parameters

disable: Disables CRL checking.

enable: Enables CRL checking.

Usage guidelines

CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted.

Examples

# Disable CRL checking.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl check disable

crl update-period

Use crl update-period to set the CRL update period, that is, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server.

Use undo crl update-period to restore the default.

Syntax

crl update-period hours

undo crl update-period

Default

The CRL update period depends on the next update field in the CRL file.

Views

PKI domain view

Default command level

2: System level

Parameters

hours: Specifies the CRL update period in hours, in the range of 1 to 720.

Examples

# Set the CRL update period to 20 hours.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl update-period 20

crl url

Use crl url to specify the URL of the CRL distribution point.

Use undo crl url to remove the configuration.

Syntax

crl url url-string

undo crl url

Default

No CRL distribution point URL is specified.

Views

PKI domain view

Default command level

2: System level

Parameters

url-string: Specifies the URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters in the format of ldap://server_location or http://server_location, where server_location must be an IP address or a domain name.

Usage guidelines

When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.

Examples

# Specify the URL of the CRL distribution point.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl url ldap://169.254.0.30

display pki certificate

Use display pki certificate to display the contents or request status of a certificate.

Syntax

display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

ca: Displays the CA certificate.

local: Displays the local certificate.

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

request-status: Displays the status of a certificate request.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the local certificate.

<Sysname> display pki certificate local domain 1

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

10B7D4E3 00010000 0086

Signature Algorithm: md5WithRSAEncryption

Issuer:

[email protected]

C=CN

ST=Country A

L=City X

O=abc

OU=bjs

CN=new-ca

Validity

Not Before: Jan 13 08:57:21 2004 GMT

Not After : Jan 20 09:07:21 2005 GMT

Subject:

C=CN

ST=Country B

L=City Y

CN=pki test

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00D41D1F …

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS: hyf.xxyyzz.net

X509v3 CRL Distribution Points:

URI:http://1.1.1.1:447/myca.crl

… …

Signature Algorithm: md5WithRSAEncryption

A3A5A447 4D08387D …

Table 1 Command output

Field	Description
Version	Version of the certificate.
Serial Number	Serial number of the certificate.
Signature Algorithm	Signature algorithm.
Issuer	Issuer of the certificate.
Validity	Validity period of the certificate.
Subject	Entity holding the certificate.
Subject Public Key Info	Public key information of the entity.
X509v3 extensions	Extensions of the X.509 (version 3) certificate.
X509v3 CRL Distribution Points	Distribution points of X.509 (version 3) CRLs.

Related commands

· certificate request polling

· pki domain

· pki retrieval-certificate

display pki certificate access-control-policy

Use display pki certificate access-control-policy to display information about one or all certificate access control policies.

Syntax

display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

policy-name: Specifies a certificate access control policy by its name, a string of 1 to 16 characters.

all: Specifies all certificate access control policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the certificate access control policy named mypolicy.

<Sysname> display pki certificate access-control-policy mypolicy

access-control-policy name: mypolicy

rule 1 deny mygroup1

rule 2 permit mygroup2

Table 2 Command output

Field	Description
access-control-policy	Name of the certificate access control policy.
rule number	Number of the access control rule.

display pki certificate attribute-group

Use display pki certificate attribute-group to display information about one or all certificate attribute groups.

Syntax

display pki certificate attribute-group { group-name | all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

group-name: Specifies a certificate attribute group by its name, a string of 1 to 16 characters.

all: Specifies all certificate attribute groups.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information about the certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup

attribute group name: mygroup

attribute 1 subject-name dn ctn abc

attribute 2 issuer-name fqdn nctn app

Table 3 Command output

Field	Description
attribute group name	Name of the certificate attribute group.
attribute number	Number of the attribute rule.
subject-name	Name of the certificate subject.
dn	DN of the entity.
ctn	Contain operations.
abc	Value of attribute 1.
issuer-name	Name of the certificate issuer.
fqdn	FQDN of the entity.
nctn	Not-contain operations.
app	Value of attribute 2.

display pki crl domain

Use display pki crl domain to display the locally saved CRLs.

Syntax

display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the locally saved CRLs.

<Sysname> display pki crl domain 1

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

C=CN

O=abc

OU=soft

CN=A Test Root

Last Update: Jan 5 08:44:19 2004 GMT

Next Update: Jan 5 21:42:13 2004 GMT

CRL extensions:

X509v3 Authority Key Identifier:

keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC

Revoked Certificates:

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…

Serial Number: 05a278445E…

Revocation Date: Sep 7 12:33:22 2004 GMT

CRL entry extensions:…

Table 4 Command output

Field	Description
Version	Version of the CRL.
Signature Algorithm	Signature algorithm used by the CRLs.
Issuer	CA issuing the CRLs.
Last Update	Last update time.
Next Update	Next update time.
CRL extensions	Extensions of CRL.
X509v3 Authority Key Identifier	CA issuing the CRLs. The certificate version is X.509 v3.
keyid	ID of the public key. A CA might have multiple key pairs. This field indicates the key pair used by the CRL's signature.
Revoked Certificates	Revoked certificates.
Serial Number	Serial number of the revoked certificate.
Revocation Date	Revocation date of the certificate.

Related commands

· pki domain

· pki retrieval-crl

fqdn

Use fqdn to configure the FQDN of an entity.

Use undo fqdn to remove the configuration.

Syntax

fqdn name-str

undo fqdn

Default

No FQDN is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

name-str: Specifies the FQDN for an entity, a case-insensitive string of 1 to 127 characters.

Usage guidelines

An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.

Examples

# Configure the FQDN of an entity as pki.domain-name.com.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] fqdn pki.domain-name.com

ip (PKI entity view)

Use ip to configure the IP address of an entity.

Use undo ip to remove the configuration.

Syntax

ip ip-address

undo ip

Default

No IP address is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

ip-address: Specifies an IP address for the entity.

Examples

# Configure the IP address of an entity as 11.0.0.1.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] ip 11.0.0.1

ldap-server

Use ldap-server to specify an LDAP server for a PKI domain.

Use undo ldap-server to remove the configuration.

Syntax

ldap-server ip ip-address [ port port-number ] [ version version-number ]

undo ldap-server

Default

No LDP server is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

ip-address: Specifies an LDAP server by its IP address, in dotted decimal format.

port-number: Specifies the port number of the LDAP server, in the range of 1 to 65535. The default is 389.

version-number: Specifies the LDAP version number, either 2 or 3. The default is 2.

Examples

# Specify an LDAP server for PKI domain 1.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ldap-server ip 169.254.0.30

locality

Use locality to configure the geographical locality of an entity. For example, it can be a city name.

Use undo locality to remove the configuration.

Syntax

locality locality-name

undo locality

Default

No geographical locality is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

locality-name: Specifies the name for the geographical locality, a case-insensitive string of 1 to 31 characters. Commas cannot be included.

Examples

# Configure the locality of an entity as city.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] locality city

organization

Use organization to configure the name of the organization to which the entity belongs.

Use undo organization to remove the configuration.

Syntax

organization org-name

undo organization

Default

No organization name is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

org-name: Specifies the organization name, a case-insensitive string of 1 to 31 characters. Commas cannot be included.

Examples

# Configure the name of the organization to which an entity belongs as test-lab.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organization test-lab

organization-unit

Use organization-unit to specify the name of the organization unit to which this entity belongs.

Use undo organization-unit to remove the configuration.

Syntax

organization-unit org-unit-name

undo organization-unit

Default

No organization unit name is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

org-unit-name: Specifies the organization unit name for distinguishing different units in an organization, a case-insensitive string of 1 to 31 characters. Commas cannot be included.

Examples

# Configure the name of the organization unit to which an entity belongs as group1.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organization-unit group1

pki certificate access-control-policy

Use pki certificate access-control-policy to create a certificate access control policy and enter its view.

Use undo pki certificate access-control-policy to remove one or all certificate access control policies.

Syntax

pki certificate access-control-policy policy-name

undo pki certificate access-control-policy { policy-name | all }

Default

No access control policy exists by default.

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies a name for the certificate access control policy, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all.

all: Specifies all certificate access control policies.

Examples

# Configure an access control policy named mypolicy and enter its view.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy]

pki certificate attribute-group

Use pki certificate attribute-group to create a certificate attribute group and enter its view.

Use undo pki certificate attribute-group to delete one or all certificate attribute groups.

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group { group-name | all }

Default

No certificate attribute group exists.

Views

System view

Default command level

2: System level

Parameters

group-name: Specifies a name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all.

all: Specifies all certificate attribute groups.

Examples

# Create a certificate attribute group named mygroup and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup]

pki delete-certificate

Use pki delete-certificate to delete the certificate locally stored for a PKI domain.

Syntax

pki delete-certificate { ca | local } domain domain-name

Views

System view

Default command level

2: System level

Parameters

ca: Deletes the locally stored CA certificate.

local: Deletes the locally stored local certificate.

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

Examples

# Delete the local certificate for PKI domain cer.

<Sysname> system-view

[Sysname] pki delete-certificate local domain cer

pki domain

Use pki domain to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain.

Use undo pki domain to remove a PKI domain.

Syntax

pki domain domain-name

undo pki domain domain-name

Default

No PKI domains exist.

Views

System view

Default command level

2: System level

Parameters

domain-name: Specifies a name for the PKI domain, a case-insensitive string of 1 to 15 characters.

Usage guidelines

The number of PKI domains supported by the device varies by device model. For more information, see About the WX Series Access Controllers Configuration Guides.

Examples

# Create a PKI domain and enter its view.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1]

pki entity

Use pki entity to create a PKI entity and enter its view.

Use undo pki entity to remove a PKI entity.

Syntax

pki entity entity-name

undo pki entity entity-name

Default

No entities exist.

Views

System view

Default command level

2: System level

Parameters

entity-name: Specifies a name for the entity, a case-insensitive string of 1 to 15 characters.

Usage guidelines

You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.

Examples

# Create a PKI entity named en and enter its view.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en]

pki import-certificate ca

Use pki import-certificate ca to import a CA certificate from a file and save it locally.

Syntax

pki import-certificate ca domain domain-name { der | pem } [ filename filename ]

Views

System view

Default command level

2: System level

Parameters

ca: Specifies the CA certificate.

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

der: Specifies the certificate format of DER.

pem: Specifies the certificate format of PEM.

filename filename: Specifies the name of the certificate file to import, a case-insensitive string of 1 to 127 characters. If you do not specify a file name, the default file name that is used to save the retrieved certificate is used, which is domain-name_ca.cer.

Usage guidelines

In FIPS mode, you cannot import MD5 certificates or certificates that contain keys with a key modulus length of less than 2048 bits.

Examples

# Import the CA certificate for PKI domain cer in PEM format.

<Sysname> system-view

[Sysname] pki import-certificate ca domain cer pem

Related commands

pki domain

pki import-certificate local

Use pki import-certificate local to import a local certificate from a file and save it locally.

Syntax

pki import-certificate local domain domain-name { der | p12 | pem } [ filename filename ]

Views

System view

Default command level

2: System level

Parameters

local: Specifies the local certificate.

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

der: Specifies the certificate format of DER.

p12: Specifies the certificate format of p12.

pem: Specifies the certificate format of PEM.

Usage guidelines

In FIPS mode, you cannot import MD5 certificates or certificates that contain keys with a key modulus length of less than 2048 bits.

Examples

# Import the local certificate for PKI domain cer in PEM format.

<Sysname> system-view

[Sysname] pki import-certificate local domain cer pem

Related commands

pki domain

pki request-certificate domain

Use pki request-certificate domain to request a local certificate from a CA through SCEP. If SCEP fails, you can use the pkcs10 keyword to print the request information in BASE64 format, or use the pkcs10 filename filename option to save the request information to a local file and send the file to the CA by an out-of-band means.

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

Default

The retrieved certificate is stored in the root directory with the filename domain-name_ca.cer or domain-name_local.cer.

Views

System view

Default command level

2: System level

Parameters

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters.

pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.

filename filename: Specifies the name of the local file for saving the PKCS#10 certificate request, a case-insensitive string of 1 to 127 characters.

Usage guidelines

This operation will not be saved in the configuration file.

Examples

# Display the PKCS#10 certificate request information.

<Sysname> system-view

[Sysname] pki request-certificate domain 1 pkcs10

-----BEGIN CERTIFICATE REQUEST-----

MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw

gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5

ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8

4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G

CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw

R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ

JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c

-----END CERTIFICATE REQUEST-----

Related commands

pki domain

pki retrieval-certificate

Use pki retrieval-certificate to retrieve a certificate from the server for certificate distribution.

Syntax

pki retrieval-certificate { ca | local } domain domain-name

Views

System view

Default command level

2: System level

Parameters

ca: Retrieves the CA certificate.

local: Retrieves the local certificate.

domain-name: Specifies the name of the PKI domain used for certificate request.

Examples

# Retrieve the CA certificate from the certificate issuing server.

<Sysname> system-view

[Sysname] pki retrieval-certificate ca domain 1

Related commands

pki domain

pki retrieval-crl domain

Use pki retrieval-crl domain to retrieve the latest CRLs from the server for CRL distribution.

Syntax

pki retrieval-crl domain domain-name

Views

System view

Default command level

2: System level

Parameters

domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.

Usage guidelines

CRLs help verify the validity of certificates.

Examples

# Retrieve CRLs.

<Sysname> system-view

[Sysname] pki retrieval-crl domain 1

Related commands

pki domain

pki validate-certificate

Use pki validate-certificate to verify the validity of a certificate.

Syntax

pki validate-certificate { ca | local } domain domain-name

Views

System view

Default command level

2: System level

Parameters

ca: Verifies the CA certificate.

local: Verifies the local certificate.

domain-name: Specifies the name of the PKI domain to which the certificate to be verified belongs, a string of 1 to 15 characters.

Usage guidelines

The focus of certificate validity verification will check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.

Examples

# Verify the validity of the local certificate.

<Sysname> system-view

[Sysname] pki validate-certificate local domain 1

Related commands

pki domain

root-certificate fingerprint

Use root-certificate fingerprint to configure the fingerprint to be used for verifying the validity of the CA root certificate.

Use undo root-certificate fingerprint to remove the configuration.

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

Default

No fingerprint is configured for verifying the validity of the CA root certificate.

Views

PKI domain view

Default command level

2: System level

Parameters

md5: Uses an MD5 fingerprint.

sha1: Uses a SHA1 fingerprint.

string: Specifies the fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal.

Examples

# Configure an MD5 fingerprint for verifying the validity of the CA root certificate.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.

[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

rule (PKI CERT ACP view)

Use rule to create a certificate attribute access control rule.

Use undo rule to delete one or all access control rules.

Syntax

rule [ id ] { deny | permit } group-name

undo rule { id | all }

Default

No access control rule exists.

Views

PKI certificate access control policy view

Default command level

2: System level

Parameters

id: Specifies the number of the certificate attribute access control rule, in the range of 1 to 16. The default is the smallest unused number in this range.

deny: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered invalid and denied.

permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered valid and permitted.

group-name: Specifies the name of the certificate attribute group to be associated with the rule, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all.

all: Specifies all access control rules.

Usage guidelines

A certificate attribute group must exist to be associated with a rule.

Examples

# Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in the certificate attribute group mygroup.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

state

Use state to specify the name of the state or province where an entity resides.

Use undo state to remove the configuration.

Syntax

state state-name

undo state

Default

No state or province is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

state-name: Specifies the state or province name, a case-insensitive string of 1 to 31 characters. Commas cannot be included.

Examples

# Specify the state where an entity resides.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] state country

07-Security Command Reference

certificate request mode

display pki certificate

display pki crl domain

ip (PKI entity view)

pki import-certificate ca

pki request-certificate domain

pki retrieval-crl domain

rule (PKI CERT ACP view)

state

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us