4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

181

182

183

184

185

186

187

188

189

190

173

pempasswordstring: Specifies a password for encrypting the private key of a local certificate in PEM

format.

filename filename: Specifies a file name for storing a certificate. The file name is a case-insensitive string.

If you do not specify a file name for the certificates in PEM format, this command displays the certificates

on the terminal.

Usage guidelines

When you export the CA certificate of a PKI domain, if the PKI domain has a CA certificate or a CA

certificate chain, this command exports the CA certificate or the CA certificate chain to a specified file

or display it on the terminal.

When you export the local certificates, the local file names might not be the same as specified in the

command. The file names depend on the usage of the key pairs of the certificates. In the following

description, the filename is the specified file name in the command.

• If the key pair of the local certificate is for signing, the local file name is filename-sign.

• If the key pair of the local certificate is for encryption, the local file name is filename-encr.

• If the key pair of the local certificate is for general use (RSA or DSA), the local file name is filename.

If the PKI domain has two local certificates, one of the following results occurs:

• If you specify a file name, the local certificates are exported to two different files.

• If you do not specify a file name, the local certificates are displayed on the terminal, separated by

the system prompts.

When you export all certificates, if the PKI domain has only the CA certificate or the local certificates, the

result is the same as when you export the local certificates or the CA certificate separately. If the PKI

domain has both the CA certificate and the local certificates, you get the following results:

• If you specify a file name, each local certificate with its proper CA certificate chain is exported to

a separate file.

• If you do not specify a file name, all local certificates and the CA certificate or the CA certificate

chain are displayed on the terminal, separated by the system prompts.

When you export all certificates in PKCS12 format, the PKI domain must have a local certificate.

Otherwise, the export operation fails.

When you export the local certificates or all certificates in PEM format, if you do not specify the

cryptographic algorithm and the challenge password for the private key, this command does not export

the private keys of the local certificates. If you specify the cryptographic algorithm and the password,

and the local certificates have their private keys, this command can export the local certificates with their

private keys. If the local certificates do not have their private keys, the export operation fails.

When you export the local certificates, if the key pair in the PKI domain is changed and becomes

different from the public key in the local certificates, the export operation fails.

When you export the local certificates or all certificates, if the PKI domain has two local certificates, the

failure of exporting one local certificate does not affect the export operation of the other.

The specified file name can contain an absolute path. If the specified path does not exist, the export

operation fails.

Examples

# Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format.

<Sysname> system-view

[Sysname] pki export domain domain1 der ca filename cert-ca.der