certificate load

Function

The certificate load command loads a certificate to a Secure Sockets Layer (SSL) policy.

The undo certificate load command unloads a certificate from an SSL policy.

By default, no certificates are loaded to SSL policies.

Format

# Load a PEM certificate to an SSL policy.

certificate load pem-cert cert-filename key-pair { rsa | dsa } key-file key-filename auth-code cipher auth-code

# Load a PFX certificate to an SSL policy.

certificate load pfx-cert cert-filename key-pair { rsa | dsa } { key-file key-filename | mac cipher mac-code } auth-code cipher auth-code

# Load a PEM certificate chain to an SSL policy.

certificate load pem-chain cert-filename key-pair { rsa | dsa } key-file key-filename auth-code cipher auth-code

# Unload a certificate from an SSL policy.

undo certificate load

Parameters

Parameter	Description	Value
pem-cert	Loads a PEM certificate to an SSL policy. The PEM format is most commonly used. The file name extension of a PEM digital certificate is .pem. The PEM format is applicable to text files transmitted between systems.	-
cert-filename	Specifies the name of a certificate file. This file must be saved in the security sub-directory of the system directory.	The value is a string of 1 to 63 characters. The specified file name must be consistent with the name of the uploaded file.
key-pair	Indicates the key pair type.	The value can be dsa or rsa. NOTE: To improve security, you are advised not to use RSA as the key pair type.
dsa	Sets the key pair type to Digital Signature Algorithm (DSA).	-
rsa	Sets the key pair type to Revest-Shamir-Adleman Algorithm (RSA).	-
key-file key-filename	Specifies the name of a key pair file. This file must be saved in the security sub-directory of the system directory.	The value is a string of 1 to 63 characters. The specified file name must be consistent with the name of the uploaded file.
auth-code cipher auth-code	Specifies the authentication code of the key pair file. The authentication code is used for identity authentication, ensuring that only authorized users can log in to a server.	The value is a string of 1 to 31, 48 or 68 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. A simple password is a string of 1 to 31 characters. A ciphertext password i a string of 48 or 68 characters. A ciphertext password with the length of 32 or 56 characters is also supported.
pfx-cert	Loads a PFX certificate to an SSL policy. The PFX format is a universal digital certificate format. The file name extension of a PFX digital certificate is .pfx. The PFX format is a binary format that can be converted into the PEM or ASN1 format.	-
mac cipher mac-code	Specifies a message authentication code (MAC). A MAC is used to ensure message integrity, preventing the contents of a message from being tampered with.	The value is a string of 1 to 31, 48 or 68 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. A simple password is a string of 1 to 31 characters. A ciphertext password i a string of 48 or 68 characters. A ciphertext password with the length of 32 or 56 characters is also supported.
pem-chain	Loads a PEM certificate chain.	-

Views

SSL policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SSL provides the following security mechanisms:

Data transmission privacy: Data to be transmitted is encrypted using symmetric cryptography.
Message integrity: A MAC algorithm is used to verify message integrity during data transmission.
Identify authentication: Digital-signed certificates are used for identity authentication.

A digital certificate in the PEM, or PFX format is issued by a Certificate Authority (CA). The digital certificate describes the identity of a digital user, helping establish a trusted relationship with the peer to meet high security requirements.

The digital certificate includes information such as the name of a person or an organization that applies for the certificate, public key, digital-signed signature of the CA that issues the digital certificate, and validity period of the digital certificate. A CA can issue a certificate chain along with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates on the chain.

Prerequisites

The ssl policy command has been used in the system view to create an SSL policy.

Precautions

Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate chain.

For security purposes, it is recommended that you delete the key file after certificate loading is complete. Deleting a certificate or certificate chain that has been loaded is not recommended.

Example

# Load a PEM certificate to an SSL policy.

<sysname> system-view
[sysname] ssl policy ftp_server
[sysname-ssl-policy-ftp_server] certificate load pem-cert servercert.pem key-pair dsa key-file serverkey.pem auth-code cipher Hello@123

# Load a PFX certificate to an SSL policy.

<sysname> system-view
[sysname] ssl policy ftp_server
[sysname-ssl-policy-ftp_server] certificate load pfx-cert servercert.pfx key-pair rsa key-file serverkey.pfx auth-code cipher Hello@123

# Load a PEM certificate chain to an SSL policy.

<sysname> system-view
[sysname] ssl policy ftp_server
[sysname-ssl-policy-ftp_server] certificate load pem-chain chain-servercert.pem key-pair rsa key-file chain-servercertkey.pem auth-code cipher Hello@123