The attribute of the alternative certificate subject name does not appear as a distinguished name, and therefore thednkeyword is not available for the attribute.

Examples

# Create a certificate attribute rule, specifyingthat the DNinthe subject name includes thestring of abc.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup] attribute1 subject-name dn ctnabc

# Create a certificate attribute rule, specifyingthat the FQDN inthe issuer name cannotbe the string of abc.

[Sysname-pki-cert-attribute-group-mygroup] attribute2issuer-name fqdn nequabc

# Create a certificate attribute rule, specifying that the IP address inthe alternative subject name cannot be 10.0.0.1.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3alt-subject-name ip nequ 10.0.0.1

ca identifier

Use ca identifier to specify the trusted CA and bind the device with the CA.

Use undo ca identifier to remove the configuration.

Syntax

ca identifiername

undo ca identifier

Default

No trusted CA is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

name: Nameof the trusted CA,a case-sensitive string of 1 to 63 characters.

Usage guidelines

Certificate request, retrieval, revocation, and querydepend on the trusted CA.

Examples

# Specify the trusted CA as new-ca.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]ca identifier new-ca

certificate request entity

Use certificate request entityto specify the entity for certificate request.

Use undo certificate request entityto remove the configuration.

Syntax

certificate request entityentity-name

undocertificate request entity

Default

No entity is specified for certificate request.

Views

PKI domain view

Default command level

2: System level

Parameters

entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters.

Examples

# Specify the entity for certificate request as entity1.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1] certificate request entity entity1

Related commands

pki entity

certificate request from

Use certificate request from to specify the authority for certificate request.

Use undocertificate request from to remove the configuration.

Syntax

certificate request from { ca | ra }

undo certificate request from

Default

No authority is specified for certificate request.

Views

PKI domain view

Default command level

2: System level

Parameters

ca: Indicates that the entity requests a certificate from a CA.

ra: Indicates that the entity requests a certificate from an RA.

Examples

# Specify that the entity requests a certificate from the CA.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]certificaterequest from ca

certificate request mode

Use certificate request modeto set the certificate request mode.

Use undo certificate request modeto restore the default.

Syntax

certificate request mode { auto[ key-length key-length| password {cipher |simple }password]*| manual}

undo certificate request mode

Default

Manual mode is used.

Views

PKI domain view

Default command level

2: System level

Parameters

auto: Requests a certificate in auto mode.

key-length: Length of the RSA keys in bits, in the range of 512 to 2048. It is 1024 bits by default.

cipher: Setsaciphertext password for certificate revocation.

simple: Setsaplaintext password for certificate revocation.

password: Specifies the password string.This argument is case sensitive. If simple is specified, it must be a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.

manual: Requests a certificate in manual mode.

Usage guidelines

In auto mode, an entity automatically requests a certificate from an RA or CA when it has no certificate. However,if the certificate will expire or has expired, the entity does not initiate a re-request automatically, in which case you need to request a new one manually. In manual mode, all operations associated with certificate request are performed manually.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Specify to request a certificate in auto mode.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]certificaterequest mode auto

Related commands

pki request-certificate

certificate request polling

Use certificate request pollingto specify the certificate request polling interval and attempt limit.

Use undo certificate request pollingto restorethe defaults.

Syntax

certificate request polling { countcount | intervalminutes}

undo certificate request polling { count| interval}

Default

The polling is executed every 20 minutes for up to 50 times.

Views

PKI domain view

Default command level

2: System level

Parameters

countcount: Specifies the maximum number of attempts to pollthe status of the certificate request, in the range of 1 to 100.

intervalminutes: Specifies the polling interval in minutes, in the range of 5 to 168.

Usage guidelines

After an applicantmakes a certificate request, the CA mightneed a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

Examples

# Setthe polling interval to15 minutes and the maximum number of attemptsto40.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]certificaterequest polling interval 15

[Sysname-pki-domain-1]certificaterequest polling count 40

Related commands

display pki certificate

certificate request url

Use certificate request urlto specify the URL of the server for certificate request through SCEP.

Use undo certificate request urlto remove the configuration.

Syntax

certificate request urlurl-string

undo certificate request url

Default

No URL is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format ofhttp://server_location/ca_script_location, whereserver_locationmust beanIP address and does not support domain name resolution.

Examples

# Specify the URL ofthe server for certificate request.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]certificaterequest urlhttp://169.254.0.100/certsrv/mscep/mscep.dll

common-name

Use common-nameto configure the common name of an entity, which can be, for example, the user name.

Use undo common-name to remove the configuration.

Syntax

common-name name

undo common-name

Default

No common name is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

name: Common name of an entity, a case-insensitivestring of 1 to 31 characters. No comma can be included.

Examples

# Configure the common name of an entity as test.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]common-name test

country

Use country to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China.

Use undo country to remove the configuration.

Syntax

country country-code-str

undo country

Default

No country code is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

country-code-str: Country code for the entity, a 2-character case-insensitive string.

Examples

# Set the country code of an entityto CN.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]country CN

crl check

Use crl check to enable or disable CRL checking.

Syntax

crl check{ disable |enable}

Default

CRL checking is enabled.

Views

PKI domain view

Default command level

2: System level

Parameters

disable:Disables CRL checking.

enable:Enables CRL checking.

Usage guidelines

CRLsarefiles issued by the CA to publishallcertificatesthat have been revoked. Revocation of a certificate might occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted.

Examples

# Disable CRL checking.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1] crl check disable

crl update-period

Use crl update-periodto set the CRLupdate period, that is, the interval at which a PKI entity witha certificate downloadsthe latest CRL from the LDAP server.

Use undo crl update-periodto restore the default.

Syntax

crl update-periodhours

undo crl update-period

Default

The CRL update period depends on the next update field in the CRL file.

Views

PKI domain view

Default command level

2: System level

Parameters

hours: CRL update period in hours, in the range of 1 to 720.

Examples

# Set the CRL update period to 20 hours.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]crl update-period 20

crl url

Use crlurlto specify the URL ofthe CRLdistribution point.

Use undo crlurl to remove the configuration.

Syntax

crlurl url-string

undo crlurl

Default

No CRL distribution pointURL is specified.

Views

PKI domain view

Default command level

2: System level

Parameters

url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 125characters in the format of ldap://server_location or http://server_location,whereserver_locationmust bean IP addressora domain name.

Usage guidelines

When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP.

Examples

# Specify the URL of the CRL distribution point.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]crl url ldap://169.254.0.30

display pki certificate

Use display pki certificateto display the contents or request status of a certificate.

Syntax

display pki certificate{{ca| local}domain domain-name| request-status } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

ca: Displaysthe CA certificate.

local: Displaysthe local certificate.

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

request-status: Displays the status of acertificate request.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the local certificate.

<Sysname>display pki certificate local domain 1

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

10B7D4E3 00010000 0086

Signature Algorithm: md5WithRSAEncryption

Issuer:

[email protected]

C=CN

ST=Country A

L=City X

O=abc

OU=bjs

CN=new-ca

Validity

Not Before: Jan 13 08:57:21 2013 GMT

Not After : Jan 20 09:07:21 2014GMT

Subject:

C=CN

ST=Country B

L=City Y

CN=pki test

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00D41D1F …

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS: hyf.xxyyzz.net

X509v3 CRL Distribution Points:

URI:http://1.1.1.1:447/myca.crl

… …

Signature Algorithm: md5WithRSAEncryption

A3A5A447 4D08387D …

Table 1 Command output

Field	Description
Version	Version of the certificate.
Serial Number	Serial number of the certificate.
Signature Algorithm	Signature algorithm.
Issuer	Issuer of the certificate.
Validity	Validity period of the certificate.
Subject	Entityholdingthe certificate.
Subject Public Key Info	Public key information of the entity.
X509v3 extensions	Extensions of the X.509 (version 3) certificate.
X509v3 CRL Distribution Points	Distribution points of X.509 (version 3) CRLs.

Related commands

· certificate request polling

· pki domain

· pki retrieval-certificate

display pki certificate access-control-policy

Use display pki certificate access-control-policyto display information about one or all certificate attribute-based access control policies.

Syntax

display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

policy-name: Name of the certificate attribute-basedaccess control policy, a string of 1 to 16 characters.

all: Specifies all certificate attribute-basedaccess control policies.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information aboutthe certificate attribute-basedaccess control policy named mypolicy.

<Sysname>display pki certificate access-control-policymypolicy

access-control-policy name: mypolicy

rule 1 deny mygroup1

rule 2 permit mygroup2

Table 2 Command output

Field	Description
access-control-policy	Name of thecertificate attribute-basedaccess control policy.
rule number	Number of the access control rule.

display pki certificate attribute-group

Use display pki certificate attribute-groupto display information aboutone or all certificate attribute groups.

Syntax

display pki certificate attribute-group { group-name| all } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

group-name: Name of a certificate attribute group, a string of 1 to 16 characters.

all: Specifies all certificate attribute groups.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display information aboutthe certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup

attribute group name: mygroup

attribute 1 subject-name dn ctn abc

attribute 2 issuer-name fqdn nctn app

Table 3 Command output

Field	Description
attribute group name	Name of thecertificate attribute group.
attribute number	Number of the attribute rule.
subject-name	Name of the certificate subject.
dn	DNof the entity.
ctn	Contain operations.
abc	Value of attribute 1.
issuer-name	Name of the certificate issuer.
fqdn	FQDN of the entity.
nctn	Not-contain operations.
app	Value of attribute 2.

display pki crl domain

Use display pki crl domainto display the locally saved CRLs.

Syntax

display pki crldomaindomain-name [| { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

domain-name: Name of thePKI domain, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the locally savedCRLs.

<Sysname>display pki crl domain 1

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

C=CN

O=abc

OU=soft

CN=A Test Root

Last Update: Jan 5 08:44:19 2004 GMT

Next Update: Jan 5 21:42:13 2004 GMT

CRL extensions:

X509v3 Authority Key Identifier:

keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC

Revoked Certificates:

Serial Number:05a234448E…

Revocation Date: Sep612:33:22 2004 GMT

CRL entry extensions:…

Serial Number:05a278445E…

Revocation Date: Sep712:33:22 2004 GMT

CRL entry extensions:…

Table 4 Command output

Field	Description
Version	Version of the CRL.
Signature Algorithm	Signature algorithm used bythe CRLs.
Issuer	CA issuing the CRLs.
Last Update	Last update time.
Next Update	Next update time.
CRL extensions	Extensions of CRL.
X509v3Authority Key Identifier	CA issuing the CRLs.The certificate version is X.509v3.
keyid	ID of the public key. A CA might have multiple key pairs. This field indicates the key pair used by the CRL's signature.
Revoked Certificates	Revoked certificates.
Serial Number	Serial number of therevoked certificate.
Revocation Date	Revocation date of the certificate.

Related commands

· pki domain

· pki retrieval-crl

fqdn

Use fqdnto configure the FQDN of an entity.

Use undo fqdn to remove the configuration.

Syntax

fqdn name-str

undo fqdn

Default

No FQDN is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters.

Usage guidelines

An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.

Examples

# Configure the FQDN of an entity as pki.domain-name.com.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]fqdn pki.domain-name.com

ip (PKI entity view)

Use ipto configure the IP address of an entity.

Use undo ip to remove the configuration.

Syntax

ip ip-address

undo ip

Default

No IP address is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

ip-address: IP address foran entity.

Examples

# Configure the IP address of an entity as 11.0.0.1.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]ip 11.0.0.1

ldap-server

Use ldap-serverto specify an LDAP server for a PKI domain.

Use undo ldap-server to remove the configuration.

Syntax

ldap-serveripip-address [ portport-number] [ versionversion-number]

undo ldap-server

Default

No LDP server is specified for a PKI domain.

Views

PKI domain view

Default command level

2: System level

Parameters

ip-address: IP address of the LDAP server,in dotted decimal format.

port-number: Port number of the LDAP server, in the rangeof 1 to 65535. Thedefault is 389.

version-number: LDAP version number, either2 or 3. The default is 2.

Examples

# Specify anLDAP server for PKI domain 1.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]ldap-server ip 169.254.0.30

locality

Use localityto configure the geographical locality of an entity, which can be, for example, a city name.

Use undo localityto remove the configuration.

Syntax

locality locality-name

undo locality

Default

No geographical locality is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

locality-name: Name forthe geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included.

Examples

# Configure the locality of an entity as city.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]locality city

organization

Use organizationto configure the name of the organization to which the entity belongs.

Use undo organization to remove the configuration.

Syntax

organization org-name

undo organization

Default

No organization name is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.

Examples

# Configurethe name of the organization to which an entity belongs as test-lab.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]organization test-lab

organization-unit

Use organization-unit to specify the name of the organization unit to which this entity belongs.

Use undo organization-unit to remove the configuration.

Syntax

organization-unit org-unit-name

undo organization-unit

Default

No organization unit name is specified for an entity.

Views

PKI entity view

Default command level

2: System level

Parameters

org-unit-name: Organization unit name for distinguishing different units in an organization, a case-insensitive string of 1 to 31 characters. No comma can be included.

Examples

# Configure the name of the organization unit to which an entity belongs as group1.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]organization-unit group1

pki certificate access-control-policy

Use pki certificate access-control-policyto create a certificate attribute-based access control policy and enter its view.

Use undo pki certificate access-control-policyto remove one or all certificate attribute-based access control policies.

Syntax

pki certificate access-control-policypolicy-name

undo pki certificate access-control-policy {policy-name | all }

Default

No access control policy exists by default.

Views

System view

Default command level

2: System level

Parameters

policy-name: Name of the certificate attribute-basedaccess control policy, a case-insensitive string of 1 to 16 characters.It cannot be"a", "al",or"all".

all: Specifies all certificate attribute-based access control policies.

Examples

# Configure an access control policy named mypolicy and enter its view.

<Sysname> system-view

[Sysname] pki certificate access-control-policymypolicy

[Sysname-pki-cert-acp-mypolicy]

pki certificate attribute-group

Use pki certificate attribute-groupto create a certificate attribute group and enter its view.

Use undo pki certificate attribute-groupto delete one or all certificate attribute groups.

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group { group-name | all }

Default

No certificate attribute group exists.

Views

System view

Default command level

2: System level

Parameters

group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters.It cannot be"a", "al",or"all".

all: Specifies all certificate attributegroups.

Examples

# Create a certificate attribute group named mygroup and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup]

pki delete-certificate

Use pki delete-certificateto delete the certificatelocally stored for a PKI domain.

Syntax

pki delete-certificate { ca | local} domain domain-name

Views

System view

Default command level

2: System level

Parameters

ca: Deletes the locally stored CA certificate.

local: Deletes the locally stored local certificate.

domain-name: Specifies aPKI domain by its name, a string of 1 to 15 characters.

Examples

# Delete the localcertificate forPKI domain cer.

<Sysname> system-view

[Sysname] pki delete-certificate local domain cer

pki domain

Use pki domain to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain.

Use undopki domainto remove a PKI domain.

Syntax

pki domain domain-name

undo pki domain domain-name

Default

No PKI domain exists.

Views

Systemview

Default command level

2: System level

Parameters

domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters.

Usage guidelines

You can create up to 32 PKI domains on a device.

Examples

# Create a PKI domain and enter its view.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1]

pki entity

Use pki entity to create a PKI entity and enter its view.

Use undo pki entityto removea PKI entity.

Syntax

pki entity entity-name

undo pki entityentity-name

Default

No entity exists.

Views

Systemview

Default command level

2: System level

Parameters

entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters.

Usage guidelines

You can configure a variety of attributes for an entity in PKI entity view. An entity is intendedonly for convenience of reference by other commands.

Examples

#Create a PKI entity named en and enter its view.

<Sysname> system-view

[Sysname]pki entity en

[Sysname-pki-entity-en]

pki import-certificate

Use pki import-certificateto import a CA certificate or local certificate from a file and save it locally.

Syntax

pki import-certificate { ca | local}domain domain-name{der|p12|pem}[filename filename ]

Views

System view

Default command level

2: System level

Parameters

ca: SpecifiestheCA certificate.

local: Specifiesthelocal certificate.

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

der: Specifies the certificate format ofDER.

p12: Specifies the certificate format ofP12.

pem: Specifies the certificate format ofPEM.

filenamefilename: Specifies the name of the certificate file to import, a case-insensitive string of 1 to 127 characters. If no file is specified, the system uses the default file name that is used when the certificate is retrieved, that is domain-name_ca.cer ordomain-name_local.cer.

Examples

# Import the CA certificate forPKI domain cer in the format ofPEM.

<Sysname> system-view

[Sysname] pki import-certificate cadomain cer pem

Related commands

pki domain

pki request-certificate domain

Use pki request-certificate domainto request a local certificate from a CA through SCEP. If SCEP fails, you can use the pkcs10keyword to print the request information in BASE64 format, or use the pkcs10 filenamefilenameoption to save the request informationto a local file and send the file to the CA by an out-of-band means.

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10[ filename filename]]

Default

The retrieved certificate is stored in the root directory with the filename domain-name_ca.cer or domain-name_local.cer.

Views

System view

Default command level

2: System level

Parameters

domain-name: Name of the PKI domain name, a string of 1 to 15 characters.

password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.

pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.

filenamefilename: Specifies the name of the local file for saving the PKCS#10 certificate request, a case-insensitive string of 1 to 127 characters.

Usage guidelines

This operation willnot be saved inthe configuration file.

Examples

# Display the PKCS#10certificate request information.

<Sysname> system-view

[Sysname] pki request-certificate domain 1 pkcs10

-----BEGIN CERTIFICATE REQUEST-----

MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw

gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5

ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8

4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G

CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw

R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ

JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c

-----END CERTIFICATE REQUEST-----

Related commands

pki domain

pki retrieval-certificate

Use pki retrieval-certificate to retrieve a certificate from the server for certificate distribution.

Syntax

pki retrieval-certificate {ca| local} domaindomain-name

Views

System view

Default command level

2: System level

Parameters

ca: RetrievestheCA certificate.

local: Retrievesthelocal certificate.

domain-name: Name of the PKI domain used for certificate request.

Examples

# Retrieve the CAcertificate from the certificate issuing server.

<Sysname> system-view

[Sysname] pki retrieval-certificate ca domain 1

Related commands

pki domain

pki retrieval-crl domain

Use pki retrieval-crl domainto retrieve the latest CRLs from the server for CRL distribution.

Syntax

pki retrieval-crl domaindomain-name

Views

System view

Default command level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Usage guidelines

CRLs help verify the validity of certificates.

Examples

# Retrieve CRLs.

<Sysname> system-view

[Sysname] pki retrieval-crl domain 1

Related commands

pki domain

pki validate-certificate

Use pki validate-certificateto verify the validity of a certificate.

Syntax

pki validate-certificate { ca| local} domaindomain-name

Views

System view

Default command level

2: System level

Parameters

ca: Verifies the CA certificate.

local: Verifies the local certificate.

domain-name: Name of the PKI domain to which the certificate to be verifiedbelongs, a string of 1 to 15 characters.

Usage guidelines

The focus of certificate validity verification will check that the certificate is signed by the CAand that the certificate has neither expirednorbeen revoked.

Examples

# Verify the validity of thelocal certificate.

<Sysname> system-view

[Sysname] pki validate-certificatelocal domain 1

Related commands

pki domain

root-certificate fingerprint

Use root-certificate fingerprintto configure the fingerprint to be used for verifying the validity of the CA root certificate.

Use undo root-certificate fingerprintto remove the configuration.

Syntax

root-certificate fingerprint{ md5 | sha1 } string

undo root-certificate fingerprint

Default

No fingerprint is configured for verifying the validity of the CA root certificate.

Views

PKI domain view

Default command level

2: System level

Parameters

md5: Usesan MD5 fingerprint.

sha1: Usesa SHA1 fingerprint.

string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. ASHA1 fingerprint must be a stringof 40 characters in hexadecimal.

Examples

# Configure an MD5 fingerprint for verifying the validity ofthe CA root certificate.

<Sysname> system-view

[Sysname]pki domain 1

[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure a SHA1 fingerprint for verifying the validity ofthe CA root certificate.

[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

rule (PKI CERT ACP view)

Use ruleto create a certificate attributeaccess control rule.

Use undo ruleto delete one or all access control rules.

Syntax

rule [id ] {deny | permit} group-name

undo rule {id| all }

Default

No access control rule exists.

Views

PKI certificate access control policy view

Default command level

2: System level

Parameters

id: Number of the certificate attribute access control rule, in the range of 1 to 16. The default is the smallestunused number in this range.

deny: Indicates that acertificate whose attributes match an attribute rule in the specified attribute groupis considered invalid and denied.

permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute groupis considered valid and permitted.

group-name: Name of the certificate attribute group to be associated with the rule, a case-insensitive string of 1 to 16 characters.It cannot be"a", "al",or"all".

all: Specifies all access control rules.

Usage guidelines

Acertificate attribute group must exist to be associated with a rule.

Examples

# Create an access control rule, specifying that a certificate is considered valid when it matchesan attribute rule in the certificateattribute group mygroup.

<Sysname> system-view

[Sysname] pki certificate access-control-policymypolicy

[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

signature-algorithm

Use signature-algorithmto specify the certificatesignature algorithm.

Use undo signature-algorithmto restore the default.

Syntax

signature-algorithm { ecdsa | rsa }

undo signature-algorithm

Default

The RSA algorithm is used as the certificatesignature algorithm.

Views

PKI domain view

Default command level

2: System level

Parameters

ecdsa: Uses ECDSA as the certificate signature algorithm.

rsa: Uses RSA as the certificate signature algorithm.

Examples

# Specify to use the ECDSA algorithm as the certificate signature algorithm.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] signature-algorithm ecdsa

state

Use state to specify the name of the state or province where an entity resides.

Use undo stateto remove the configuration.

Syntax

state state-name

undo state

Default

No state or province is specified.

Views

PKI entity view

Default command level

2: System level

Parameters

state-name: State or province name,a case-insensitive string of 1 to 31 characters. No comma can be included.

Examples

# Specify the state where an entity resides.

<Sysname> system-view

[Sysname]pki entity 1

[Sysname-pki-entity-1]state country

07-Security Command Reference

certificate request mode

display pki certificate

display pki crl domain

ip (PKI entity view)

pki request-certificate domain

pki retrieval-crl domain

rule (PKI CERT ACP view)

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us