< Home

certificate auto-update enable

Function

The certificate auto-update enable command enables CMPv2-based automatic certificate update.

The undo certificate auto-update enable command disables CMPv2-based automatic certificate update.

By default, the CMPv2-based automatic certificate update is disabled.

Format

certificate auto-update enable

undo certificate auto-update enable

Parameters

None

Views

CMP session view

Default Level

2: Configuration level

Usage Guidelines

If a certificate obtained through CMPv2 is about to expire, run this command to enable CMPv2-based automatic certificate update to ensure certificate validity. After the command is executed, the system performs checks (for example, referenced PKI entity, URL for the CMPv2 server, RSA key pair for CMPv2-based certificate application). The configuration is successful only when the conditions are met. After this command is configured, the system checks configurations. If conditions are met, configurations succeed. Check items are as follows.

Check Item

Configuration Command

The PKI entity has been referenced.

cmp-request entity

The CA certificate name has been configured.

ca-name

The URL of the CMPv2 server has been configured.

cmp-request server url

The certificate has been configured.

cmp-request authentication-cert

pki import-certificate

The RSA key pair used to apply for a certificate in CMPv2 mode has been configured.

cmp-request rsa local-key-pair

When the system detects that the remaining validity period of the local certificate has reached the value specified in certificate update expire-time, the system automatically initiates the certificate update request and decides whether to create an RSA key pair based on the cmp-request rsa local-key-pair configuration. After the new certificate is obtained, the system replaces the previous certificate and RSA key pair with the new ones. The replacement files include the files in device storage, certificate in memory, and configuration used in IKE negotiation.

In dual-node hot standby scenarios, no certificate can be applied for the backup node.

Example

# Enable CMPv2-based automatic certificate update.

<sysname> system-view
[sysname] pki cmp session test
[sysname-pki-cmp-session-test] certificate auto-update enable
Parent Topic: PKI Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >