4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

181

182

183

184

185

186

187

188

189

190

179

pki import

Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.

Syntax

pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename

filename | pem { ca | local | peer } [ filename filename ] }

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\),

vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and

apostrophe (').

der: Specifies the certificate format as DER, including PKCS#7.

p12: Specifies the certificate format as PKCS12.

pem: Specifies the certificate format as PEM.

ca: Specifies the CA certificate.

local: Specifies the local certificates.

peer: Specifies the peer certificates.

filename filename: Specifies a certificate file name, a case-insensitive string. For a certificate in PEM

format, you can also choose to copy and paste the certificate contents on the terminal instead of

importing from a file.

Usage guidelines

Use the command to import the certificates in the following situations:

• The CRL repository is not specified or the CA server does not support SCEP.

• Use a certificate that is packed with the server generated key pair in a single file. Only certificate

files in PKCS12 or PEM format might contain key pairs.

Before you import the certificates, complete the following tasks:

• Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not

available, you can import the certificates by copying and pasting the certificate contents through

the terminal. In this case, make sure the certificate is in PEM format because only certificates in PEM

format can be imported by this means.

• For the local certificates or peer certificates to be imported, the proper CA certificate chain must

exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer

certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA

certificate chain, you must import the CA certificate first. To import a local or peer certificate, a CA

certificate chain must exist in the PKI domain, or be carried in the local or peer certificate. If not,

obtain it first.

When you import the local certificates or peer certificates: