< Home

Installing a CA Certificate for a PKI Entity

Context

A downloaded CA certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

Before importing a certificate or key pair, ensure that the certificate or key pair is stored in the specified directory (public directory on the root system and vsys directory on the virtual system). For example, the certificate or key pair is in the public directory of the root system:
<sysname> cd pki
<sysname> cd public/

To prevent a failure to install the CA certificate, ensure that the CA certificate file size does not exceed 1 MB.

By default, the preset CA certificate is imported to the default domain. Therefore, other CA certificates cannot be imported to the default domain. Otherwise, the preset CA certificate will be invalid.

In dual-node hot standby scenarios, the master node backs up certificates to the backup node. The backup node does not support the function of importing certificates to the memory.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki import-certificate ca [ [ realm realm-name ] { der | pkcs12 | pem } ] filename filename [ no-check-validate ] [ no-check-hash-alg ]

    Or run pki import-certificate ca realm realm-name { der | pkcs12 | pem } filename filename replace [ no-check-validate ] [ no-check-hash-alg ]

    The CA certificate is imported to the device memory.

  3. (Optional) Run pki set-certificate expire-prewarning day

    The expiry prewarning time of the CA certificate in the device memory is configured.

    The default expiry prewarning time of the CA certificate in the device memory is 7 days.

Follow-up Procedure

  • To copy a CA certificate to another device, run the pki export-certificate ca realm realm-name { pem | pkcs12 } command. Subsequently, the CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • To copy a default built-in CA certificate to another device, run the pki export-certificate default ca filename filename command. Subsequently, the default built-in CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.

  • If a CA certificate expires or is not in use, run the pki delete-certificate ca { realm realm-name | filename file-name } command to delete the CA certificate from the device memory.

Parent Topic: Preconfiguring a Local Certificate
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >