Table of Contents

Related Documents

04-HH3C-PKI-MONITOR-MIB

Title	Size	Download
04-HH3C-PKI-MONITOR-MIB	138.84 KB

HH3C-PKI-MONITOR-MIB

About this MIB

Use this MIB to obtain PKI trap information and PKI trap notifications.

Notifications

hh3cPKICACertInvalid

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.1	Invalid CA certificate.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when a CA certificate becomes invalid.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The fingerprint for verifying the root CA certificate is illegal.

The format of the CA certificate does not meet the certificate requirements.

The signature algorithm and public key length of the CA certificate do not meet the related requirements in FIPS mode.

System impact

Certificate-related services are unavailable.

Status control

CLI: Use the snmp-agent trap enable pki ca-cert-invalid command.

MIB: Set hh3cPKICACertInvalidTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki ca-cert-invalid command.

MIB: Set hh3cPKICACertInvalidTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.1 (hh3cPKICACertIssuer)	Issuer of a CA certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.2 (hh3cPKICACertSubject)	Subject of the CA certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.3 (hh3cPKICACertStartTime)	Time when the CA certificate becomes valid.	N/A	DateAndTime	OCTET STRING (8 \| 11)
1.3.6.1.4.1.25506.2.209.1.1.4 (hh3cPKICACertFinishTime)	Time when the CA certificate expires.	N/A	DateAndTime	OCTET STRING (8 \| 11)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.Check whether the fingerprint for verifying the root CA certificate is legal:

- If no, use the root-certificate fingerprint command to configure a legal fingerprint for verifying the root CA certificate.

- If yes, go to step 3.

3.Request a new CA certificate in online or offline mode.

4.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKIGetCrlFailHttp

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.6	Obtaining a CRL through HTTP failed.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a CRL through HTTP failed.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the HTTP server.

The device and the HTTP server cannot reach each other.

The CA server does not issue CRLs.

The configured URL of the CRL repository is incorrect.

Services unavailable on the HTTP server.

System impact

Certificate-related services are unavailable when the CRL expires.

Status control

CLI: Use the snmp-agent trap enable pki crl-http-failure command.

MIB: Set hh3cPKIGetCrlFailHttpTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki crl-http-failure command.

MIB: Set hh3cPKIGetCrlFailHttpTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.9 (hh3cPKICrlUrl)	CRL repository URL.	N/A	OCTET STRING	OCTET STRING (0..1023)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the HTTP server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the HTTP server.

- If yes, go to step 2.

2.Use the ping command to check whether the HTTP server is reachable:

- If no, troubleshoot the routes and physical links, and make sure the HTTP server is reachable.

- If yes, go to step 3.

3.Check whether the CA server issues CRLs:

- If no, make sure the CA server supports publishing CRLs.

- If yes, go to step 4.

4.Check whether the configured URL of the CRL repository is correct:

- If no, use the crl url command to configure the URL of the CRL repository correctly.

- If yes, go to step 5.

5.Check whether the services on the HTTP server are normal:

- If no, make sure the services on the HTTP server are normal.

- If yes, go to step 6.

6.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKIGetCrlFailLdap

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.8	Obtaining a CRL through LDAP failed.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a CRL through LDAP failed.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the LDAP server.

The device and the LDAP server cannot reach each other.

The CA server does not issue CRLs.

The configured URL of the CRL repository is incorrect.

The LDAP server's host name or IP address is neither contained in the CRL repository URL nor configured in the PKI domain.

Services unavailable on the LDAP server.

System impact

Certificate-related services are unavailable when the CRL expires.

Status control

CLI: Use the snmp-agent trap enable pki crl-ldap-failure command.

MIB: Set hh3cPKIGetCrlFailLdapTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki crl-ldap-failure command.

MIB: Set hh3cPKIGetCrlFailLdapTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.9 (hh3cPKICrlUrl)	CRL repository URL.	N/A	OCTET STRING	OCTET STRING (0..1023)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the LDAP server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the LDAP server.

- If yes, go to step 2.

2.Use the ping command to check whether the LDAP server is reachable:

- If no, troubleshoot the routes and physical links, and make sure the LDAP server is reachable.

- If yes, go to step 3.

3.Check whether the CA server issues CRLs:

- If no, make sure the CA server supports publishing CRLs.

- If yes, go to step 4.

4.Check whether the configured URL of the CRL repository is correct:

- If no, use the crl url command to configure the URL of the CRL repository correctly.

- If yes, go to step 5.

5.Check whether the LDAP server's host name or IP address is correctly configured in the PKI domain:

- If no, use the ldap-server command to correctly configure the LDAP server's host name or IP address.

- If yes, go to step 6.

6.Check whether the services on the LDAP server are normal:

- If no, make sure the services on the LDAP server are normal.

- If yes, go to step 7.

7.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKIGetCrlFailScep

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.10	Obtaining a CRL through SCEP failed.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a CRL through SCEP failed.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The device and the CA server cannot reach each other.

No local certificates and key pairs are obtained before the device tries to obtain CRLs.

The certificate request reception authority is not configured or is configured incorrectly.

The source IP address for PKI protocol packets is not configured or is configured incorrectly.

Services unavailable on the CA server.

System impact

Certificate-related services are unavailable when the CRL expires.

Status control

CLI: Use the snmp-agent trap enable pki crl-scep-failure command.

MIB: Set hh3cPKIGetCrlFailScepTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki crl-scep-failure command.

MIB: Set hh3cPKIGetCrlFailScepTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.11 (hh3cPKICertUrl)	URL for certificate request.	N/A	OCTET STRING	OCTET STRING (0..1023)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.Use the ping command to check whether the CA server is reachable:

- If no, troubleshoot the routes and physical links, and make sure the CA server is reachable.

- If yes, go to step 3.

3.Check whether local certificates and key pairs are obtained:

- If no, obtain a new local certificate in online or offline mode, and obtain the corresponding key pair.

- If yes, go to step 4.

4.Check whether the certificate request reception authority is configured and configured correctly:

- If the certificate request reception authority is not configured or incorrect, use the certificate request from command to specify the correct certificate request reception authority.

- If yes, go to step 5.

5.Check whether a correct source IP address for PKI protocol packets exists:

- If no, use the source command to specify the correct source IP address that the CA server can accept. For the correct settings, contact the CA administrator.

- If yes, go to step 6.

6.Check whether the services on the CA server are normal:

- If no, make sure the services on the CA server are normal.

- If yes, go to step 7.

7.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKILocalCertInvalid

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.11	Invalid local certificate.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when a local certificate is invalid.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

Failed to verify the signature of the local certificate by using the public key of the CA certificate.

System impact

Certificate-related services are unavailable.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-invalid command.

MIB: Set hh3cPKILocCertInvalidTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-invalid command.

MIB: Set hh3cPKILocCertInvalidTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.12 (hh3cPKILocalCertIssuer)	Issuer of a local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.13 (hh3cPKILocalCertSubject)	Subject of the local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.14 (hh3cPKILocalCertStartTime)	Time when the local certificate becomes valid.	N/A	DateAndTime	OCTET STRING (8 \| 11)
1.3.6.1.4.1.25506.2.209.1.1.15 (hh3cPKILocalCertFinishTime)	Time when the local certificate expires.	N/A	DateAndTime	OCTET STRING (8 \| 11)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKIGetLocalCertFailLdap

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.14	Obtaining a local certificate through LDAP failed.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a local certificate through LDAP failed.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The device and the LDAP server cannot reach each other.

The host name or IP address of the LDAP server is not configured or is configured incorrectly in the PKI domain.

No PKI entity for certificate request is configured in the PKI domain or the PKI entity configuration is incorrect.

No key pair is specified for certificate request in the PKI domain, or the specified key pair does not match the one contained in the local certificate to be obtained.

Services unavailable on the LDAP server.

System impact

Certificate-related services are unavailable when the certificate expires.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-ldap-failure command.

MIB: Set hh3cPKIGetCertFailLdapTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-ldap-failure command.

MIB: Set hh3cPKIGetCertFailLdapTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.11 (hh3cPKICertUrl)	URL for certificate request.	N/A	OCTET STRING	OCTET STRING (0..1023)
1.3.6.1.4.1.25506.2.209.1.1.16 (hh3cPKIEntityName)	PKI entity name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.17 (hh3cPKICertSave)	Saved certificate file name.	N/A	DisplayString	OCTET STRING (0..255)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the LDAP server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the LDAP server.

- If yes, go to step 2.

2.Use the ping command to check whether the LDAP server is reachable:

- If no, troubleshoot the routes and physical links, and make sure the LDAP server is reachable.

- If yes, go to step 3.

3.Check whether the correct host name or IP address of the LDAP server is configured in the PKI domain:

- If the host name is not configured or is configured incorrectly, use the ldap-server command to specify an LDAP server for the PKI domain.

- If yes, go to step 4.

4.Check whether a correct PKI entity for certificate request is configured in the PKI domain:

- If no PKI entity is configured or the configuration is incorrect, use the certificate request entity command to specify a PKI entity for certificate request.

- If yes, go to step 5.

5.Check whether a correct key pair for certificate request is specified in the PKI domain:

- If no key pair is specified or the key pair is specified incorrectly, use the public-key command to specify a key pair and make sure the key pair matches the one contained in the local certificate to be obtained.

- If yes, go to step 6.

6.Check whether the services on the LDAP server are normal:

- If no, make sure the services on the LDAP server are normal.

- If yes, go to step 7.

7.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKIGetLocalCertSucScep

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.15	Obtaining a local certificate through SCEP succeeded.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a local certificate through SCEP succeeded.

System impact

No negative impact on services.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-scep-success command.

MIB: Set hh3cPKIGetLocCeSucScepTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-scep-success command.

MIB: Set hh3cPKIGetLocCeSucScepTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.11 (hh3cPKICertUrl)	URL for certificate request.	N/A	OCTET STRING	OCTET STRING (0..1023)
1.3.6.1.4.1.25506.2.209.1.1.17 (hh3cPKICertSave)	Saved certificate file name.	N/A	DisplayString	OCTET STRING (0..255)

Recommended action

No action is required.

hh3cPKIGetLocalCertFailScep

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.16	Obtaining a local certificate through SCEP failed.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when obtaining a local certificate through SCEP failed.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The device and the CA server cannot reach each other.

The key pair specified in the PKI domain does not match the one contained in the local certificate to be obtained.

The URL of the certificate request reception authority is specified incorrectly in the PKI domain.

Services unavailable on the CA server.

System impact

Certificate-related services are unavailable when the certificate expires.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-scep-failure command.

MIB: Set hh3cPKIGetLocCeFailScepTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-scep-failure command.

MIB: Set hh3cPKIGetLocCeFailScepTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.10 (hh3cPKIVrfName)	VPN instance name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.11 (hh3cPKICertUrl)	URL for certificate request.	N/A	OCTET STRING	OCTET STRING (0..1023)
1.3.6.1.4.1.25506.2.209.1.1.17 (hh3cPKICertSave)	Saved certificate file name.	N/A	DisplayString	OCTET STRING (0..255)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.Use the ping command to check whether the CA server is reachable:

- If no, troubleshoot the routes and physical links, and make sure the CA server is reachable.

- If yes, go to step 3.

3.Check whether a correct key pair is specified in the PKI domain:

- If no, use the public-key command to specify a key pair and make sure the key pair matches the one contained in the local certificate to be obtained.

- If yes, go to step 4.

4.Check whether the correct URL of the certificate request reception authority is specified in the PKI domain:

- If no, use the certificate request url command to specify the URL of the certificate request reception authority.

- If yes, go to step 5.

5.Check whether the services on the CA server are normal:

- If no, make sure the services on the CA server are normal.

- If yes, go to step 7.

6.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKILocalCertNearlyExpired

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.17	A local certificate is about to expire.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated 30 or fewer days prior to expiration of the local certificate.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The time difference between the certificate expiration time and the current system time of the device is 30 or fewer days.

System impact

Certificate-related services are unavailable when the certificate expires.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-nearly-expired command.

MIB: Set hh3cPKILocCertNearExpirTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-nearly-expired command.

MIB: Set hh3cPKILocCertNearExpirTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.12 (hh3cPKILocalCertIssuer)	Issuer of a local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.13 (hh3cPKILocalCertSubject)	Subject of the local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.14 (hh3cPKILocalCertStartTime)	Time when the local certificate becomes valid.	N/A	DateAndTime	OCTET STRING (8 \| 11)
1.3.6.1.4.1.25506.2.209.1.1.15 (hh3cPKILocalCertFinishTime)	Time when the local certificate expires.	N/A	DateAndTime	OCTET STRING (8 \| 11)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.Request a new certificate in offline mode or through SCEP/LDAP in online mode.

3.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

hh3cPKILocalCertHasExpired

Basic information

OID	Event	Type	Severity	Recovery notification	Default status
1.3.6.1.4.1.25506.2.209.1.3.0.18	A local certificate expired.	Informational	Warning	N/A (N/A)	OFF

Notification triggers

This notification is generated when the validity end time of a local certificate is before the current system time of the device.

This notification might be generated when the following events occur:

The system time of the device is not synchronized with that of the CA server.

The validity end time of the local certificate is before the current system time of the device.

System impact

Certificate-related services are unavailable.

Status control

CLI: Use the snmp-agent trap enable pki local-cert-has-expired command.

MIB: Set hh3cPKILocCertHasExpirTrapCntl to true(1).

OFF

CLI: Use the undo snmp-agent trap enable pki local-cert-has-expired command.

MIB: Set hh3cPKILocCertHasExpirTrapCntl to false(2).

Object

OID (object name)	Description	Index	Type	Value range
1.3.6.1.4.1.25506.2.209.1.1.8 (hh3cPKIDomainName)	PKI domain name.	N/A	OCTET STRING	OCTET STRING (0..31)
1.3.6.1.4.1.25506.2.209.1.1.12 (hh3cPKILocalCertIssuer)	Issuer of a local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.13 (hh3cPKILocalCertSubject)	Subject of the local certificate.	N/A	DisplayString	OCTET STRING (0..255)
1.3.6.1.4.1.25506.2.209.1.1.14 (hh3cPKILocalCertStartTime)	Time when the local certificate becomes valid.	N/A	DateAndTime	OCTET STRING (8 \| 11)
1.3.6.1.4.1.25506.2.209.1.1.15 (hh3cPKILocalCertFinishTime)	Time when the local certificate expires.	N/A	DateAndTime	OCTET STRING (8 \| 11)

Recommended action

To resolve this issue:

1.Use the display clock command to view whether the device is time synchronized with the CA server:

- If no, use the clock datetime command in user view to synchronize the system time of the device with that of the CA server.

- If yes, go to step 2.

2.Request a new certificate in offline mode or through SCEP/LDAP in online mode.

3.If the issue persists, collect alarm information and configuration data, and then contact H3C Support for help.

13-Security

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information

Notification triggers

System impact

Status control

Object

Recommended action

Basic information