< Home

Digital Certificate Management

Overview

Digital certificates are used to secure communication between services on a device and between the device and external devices, by preventing communication data from being tampered with during transmission, improving system security.

A device supports certification authority (CA) certificates and device certificates.

  • CA certificate

    It is also called the root certificate and is used to verify whether a device certificate is issued through the root certificate when an attempt is made to access the device.

  • Device certificate
    • It is also called a local certificate, which is a public key file. It appears in a pair with a private key file. The device certificate is issued by the root certificate and usually used to encrypt sessions or data to ensure the security of requests to access a service.
    • A private key file must be used together with a device certificate and is used to decrypt the data that has been encrypted by the device certificate.
    • A private-key password is used to encrypt a private key file.

Table 1 lists the preset digital certificates provided by a device. If a new certificate needs to be configured based on service requirements, you can run commands to configure and update the certificate.

Using the default certificate may pose risks. To improve system security, you are advised to replace the preset certificates with your own digital certificates and periodically update the certificates and keys.

Table 1 Preset digital certificates

Certificate Name

Certificate File Name

Certificate Function

Description

default_ca

CA certificate: default_ca.cer

Used to verify the identities of peer Huawei devices.

The preset CA certificate is stored in nonvolatile random access memory (NVRAM) on a device before the device is shipped. To use the preset CA certificate, run the pki import-certificate default_ca realm default command to load the certificate to the default realm.

After the preset CA certificate is deleted using the pki delete-certificate ca filename default_ca.cer command, you can import another CA certificate to the default realm. In addition, an imported certificate cannot be named default_ca.cer, which is the same as the name of the preset CA certificate reserved by the system.

default_local

Device certificate: default_local.cer

Used to verify the identity of a local device.

You can determine whether to use this certificate for identity verification based on service requirements.

The preset local certificate can be deleted. After the preset local certificate is deleted using the pki delete-certificate local filename default_local.cer command, you can import another local certificate into the default realm. However, default_local.cer is the preset local certificate name reserved for the system, and the imported certificate cannot be named default_local.cer.

You can upload or update certificates used for external communication in the following scenarios:

  • If both communication parties need to use digital certificates for identity verification, you can run commands to upload the digital certificates.

  • You can run commands to update digital certificates in the following scenarios:

    • For the sake of device security, the preset certificates of the device needs to be replaced.

    • During routine maintenance, an existing digital certificate is considered insecure and needs to be replaced.

    • The system reports the hwPKICACertNearlyExpired or hwPKILocalCertNearlyExpired alarm, generated when the number of remaining days of a certificate falls below the number of certificate expiration reminding days (which can be configured using the pki set-certificate expire-prewarning command), or the hwPKICACertInvalid or hwPKILocalCertInvalid alarm, generated when a certificate expires.

    • Before an upgrade, you must replace the preset certificates. If the certificates are not replaced, service modules may fail to communicate with each other or with external systems after the upgrade.

Impact on the System

None

Pre-configuration Tasks

  • Before uploading or updating a CA certificate, you have obtained the CA certificate, for example, ca.crt.

  • Before uploading or updating a device certificate, you have obtained the device certificate (for example, certfile.cer), private key file (for example, ca.key), and private-key password.

Procedure

  1. Upload the obtained certificates and private key file into the flash:/pki/public directory.
  2. Enter the system view.

    system-view

  3. Import the CA certificate into memory on the device.

    pki import-certificate ca [ [ realm realm-name ] { der | pkcs12 | pem } ] filename file-name [ replace ][ no-check-validate ] [ no-check-hash-alg ]

  4. Import the local certificate into memory on the device.
    • When applying for a local certificate from the CA based on the PKI entity information and RSA key pair created in the local PKI entity, you only need to run the following command to import the local certificate into memory on the device. The RSA key pair is already imported into memory by default during its creation.
      pki import-certificate local [ [ realm realm-name ] { der | pkcs12 | pem } ] filename file-name [ replace ][ no-check-validate ] [ no-check-hash-alg ]
    • If you need to use the key pair generated by and the certificate of another PKI entity, you have to import both the certificate and key pair file. A key pair file can either be included in a certificate file or exist independently of the certificate file. Select a method of importing a key pair file accordingly.

      Operation

      Command

      Description

      Import both a certificate and a key pair file.

      pki import rsa-key-pair keyname { pem | pkcs12 } file-name [ exportable ] [ password password ]

      If a certificate file contains a key pair file, you can run this command to import both the certificate and key pair file.

      Import a certificate file.

      pki import-certificate local [ [ realm realm-name ] { der | pkcs12 | pem } ] filename file-name [ no-check-validate ] [ no-check-hash-alg ]

      If the certificate file and key pair file exist independently, you can run the two commands to import the certificate file and key pair file.

      Import a key pair file.

      pki import rsa-key-pair keyname exclude-cert { pem | pkcs12 } file-name [ exportable ] [ password password ]

    If no certificate format is specified, the system automatically identifies the certificate format and imports a specified certificate.

  5. Import the local certificate into memory on the device.

    If you need to use the key pair generated by and the certificate of another PKI entity, you have to import both the certificate and key pair file. A key pair file can either be included in a certificate file or exist independently of the certificate file. Select a method of importing a key pair file accordingly.

    Operation

    Command

    Description

    Import both a certificate and a key pair file.

    pki import rsa-key-pair keyname { pem | pkcs12 } file-name [ exportable ] [ password password ]

    If a certificate file contains a key pair file, you can run this command to import both the certificate and key pair file.

    Import a certificate file.

    pki import-certificate local [ [ realm realm-name ] { der | pkcs12 | pem } ] filename file-name [ no-check-same-name | [ no-check-validate ] [ no-check-hash-alg ] ]

    If the certificate file and key pair file exist separately, you can run the two commands to import the certificate file and key pair file.

    Import a key pair file.

    pki import rsa-key-pair keyname exclude-cert { pem | pkcs12 } file-name [ exportable ] [ password password ]

    If no certificate format is specified, the system automatically identifies the certificate format and imports a specified certificate.

  6. After the certificate is imported, you need to specify the imported certificate when configuring services that require certificate authentication. For example, if the RESTCONF client is configured to log in to the device through HTTPS, you need to configure the certificate sent by the device to the client.

    api
security server-certificate file-name

    The client needs to import the CA certificate to the browser. (Specific operations vary between browsers). If the CA certificate is not imported to the browser, the client can still log in to the device through HTTPS. In this case, the client cannot verify the validity of the server's certificate and is vulnerable to attacks.

Checking the Security Hardening Result

Run the display pki certificate { ca | local } [ realm realm-name ] command to check the content of the loaded certificates.

Parent Topic: Management Plane Security (Level-1)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >