Downloading a CA Certificate for a PKI Entity

Context

Several methods are available to download a CA certificate, depending on the service types provided by the CA:

Download the CA certificate from the CA server through SCEP into the device storage.
Download the CA certificate from the web server to the device storage through HTTP.
Download the CA certificate from the server where the certificate is stored to the device storage through LDAP.
Download the CA certificate from the CMPv2 server through CMPv2 into the device storage.
Obtain the CA certificate in an outbound way (web, disk, or email) and then upload it to the device storage.

If a PKI entity applies for a local certificate through CMPv2, the root certificate of the CA server is downloaded.

Procedure

Download a CA certificate through SCEP.
1. Run system-view
  The system view is displayed.
2. Run pki file-format { der | pem }
  The file format in which the device stores the certificate is configured.
  
  By default, the device stores the certificate into a PEM file.
3. Run pki realmrealm-name
  A PKI realm is created and the PKI realm view is displayed; or the PKI realm view is displayed directly.
  
  By default, there is a PKI realm named default in the root system, and this realm can be modified but cannot be deleted; no PKI realm is created in a virtual system.
4. Run ca idca-name
  A trusted CA is configured for the PKI realm.
  
  By default, no trusted CA is configured for a PKI realm.
5. Run entityentity-name
  A PKI entity that applies for a local certificate is specified.
  
  By default, no PKI entity that applies for a local certificate is specified.
6. Run rsa local-key-pair key-name
  The RSA key pair used in SCEP-based certificate application is configured.
  
  By default, the RSA key pair used in SCEP-based certificate application is not configured.
7. Run enrollment-url [ esc ] url [ interval minutes ] [ times count ] [ ra ]
  A CA server uniform resource locator (URL) is configured.
  
  By default, the CA server URL is not configured.
  
  Pay attention to the following points:
  - If the esc parameter is not specified in the command, the URL format is http://server_location/ca_script_location.
    
    server_location supports the IP address format or domain name format. ca_script_location is the path where CA server host's application script is located. For example, when the Windows server functions as the CA server, the URL format is http://host:port/certsrv/mscep/mscep.dll. host is the CA server's IP address, and port is the CA server's port number. If the CA server's IP address is 10.137.145.158 and port number is 8080, the URL is http://10.137.145.158:8080/certsrv/mscep/mscep.dll.
  - If the esc parameter is specified, the URL that contains a question mark (?) can be entered in ASCII format.
    
    A command line that contains a question mark (?) can be directly entered on the device. The esc parameter is specified to allow a URL that contains a question mark (?) to be entered in ASCII format. The URL must be in \x3f format, in which 3f is a hexadecimal ASCII value of question mark (?). For example, if a user wants to enter http://***.com?page1, the corresponding URL is http://***.com\x3fpage1. If the user also wants to enter question mark (?) and \x3f (http://www.***.com?page1\x3f), the corresponding URL is http://www.***.com\x3fpage1\\x3f.
  - If certificate requests are manually processed on the CA server, it may take a long period of time to issue a certificate. The PKI entity applying for a certificate needs to periodically send queries to obtain the issued certificate in time. To adjust the certificate enrollment query interval and maximum number of queries, configure the interval and times.
  - If the ra parameter is specified, an RA authenticates a PKI entity's identity information during local certificate application. By default, a CA authenticates a PKI entity's identity information during local certificate application.
8. Run fingerprint { md5 | sha1 | sha256 } fingerprint
  The CA certificate fingerprint used in CA certificate authentication is configured.
  
  By default, the CA certificate fingerprint used in CA certificate authentication is not configured.
  
  The fingerprint needs to be obtained offline from a CA server. For example, when Windows Server 2008 functions as the CA server, access the webpage address http://host:port/certsrv/mscep_admin/ to obtain the CA certificate fingerprint. In the webpage address, host specifies the CA server's IP address, and port specifies the CA server's port number.
9. Run quit
  Return to the system view.
10. Run pki get-certificatecarealmrealm-name
  A CA certificate is downloaded to the device storage.
Download a CA certificate through the Hypertext Transfer Protocol (HTTP).
1. Run system-view
  The system view is displayed.
2. Run pki http [ esc ] url-addresssave-name
  A CA certificate is downloaded through HTTP.
  
  url-address must include a complete certificate file name and file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.
Download a CA certificate through the Lightweight Directory Access Protocol (LDAP).
1. Run system-view
  The system view is displayed.
2. Run pki ldap ip ip-address port port version version [ attribute attr-value ] [ authentication ldap-dn ldap-password ] save-name dn dn-value
  A CA certificate is downloaded through LDAP.
Download a CA certificate through CMPv2.
For the configuration about downloading CA certificate through CMPv2, see Applying for and Updating the Local Certificate Through CMPv2.
Download a CA certificate in an outbound way.
After you obtain a CA certificate in an outbound way (web, disk, or email), manually upload it to the device storage. You can also download a CA certificate through the administrator's PC and then upload it to the device storage through FTP or SFTP, or web system.