4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

191

192

193

194

195

196

197

198

199

200

180

• If the local certificates or peer certificates to be imported contain the CA certificate chain, you can

import the CA certificate and the local certificates or peer certificates at the same time. If the

certificate of the CA that issues the local certificates or peer certificates already exists in a PKI

domain, the system displays a prompt to ask you whether to overwrite the existing CA certificate.

• If the local certificates or peer certificates to be imported do not contain the CA certificate chain,

but the certificate of the CA that issues the local certificate or peer certificate already exists in a PKI

domain, you can directly import the local certificates or peer certificates.

When you import the CA certificate:

• If the CA certificate to be imported is the CA root certificate or contains the certificate chain with the

root certificate, you can import the CA certificate.

• If the CA certificate to be imported contains a certificate chain without the root certificate, but can

form a complete certificate chain with the CA certificate on the device, you can import the CA

certificate. Otherwise, you cannot import it.

Contact the CA server administrator to get proper information in the following scenarios:

• If the certificate file to be imported contains the root certificate, but the root certificate and its

fingerprint are not specified on the device, the system asks you to confirm the fingerprint.

• If the local certificate to be imported contains a key pair, the system asks you to enter the challenge

password used for encrypting the private key.

When you import a local certificate file that contains a key pair, you can choose to update the domain

with the key pair. Depending on the purpose, the following conditions apply:

• If the purpose of the key pair is general, the device uses the key pair to replace the local key pair

that is found in this order: general-purpose key pair, signature key pair, and encryption key pair.

• If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair

that is found in this order: general-purpose key pair and signature key pair.

• If the purpose of the key pair is encryption, the device searches the domain for an encryption key

pair.

If a proper key pair name is found, the device displays a prompt to ask you whether to overwrite the

existing key pair on the device. If it does not find a proper key pair name, the device asks you to enter

a key pair name (defaulting to the PKI domain name) and then generates a proper key pair according

to the algorithm and the purpose of the key pair defined in the certificate file.

The import operation automatically updates or generates the proper key pair. When you perform the

import operation, be sure to save the configuration file to avoid data loss.

Examples

# Import the CA certificate file rootca_pem.cer in PEM format to the PKI domain aaa. The certificate file

contains the root certificate.

<Sysname> system-view

[Sysname] pki import domain aaa pem ca filename rootca_pem.cer

The trusted CA's finger print is:

MD5 fingerprint:FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535

SHA1 fingerprint:FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69

Is the finger print correct?(Y/N):y

[Sysname]

# Import the CA certificate file aca_pem.cer in PEM format to the PKI domain bbb. The certificate file

does not contain the root certificate.

<Sysname> system-view