4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

201

202

203

204

205

206

207

208

209

210

192

string: Sets the fingerprint information in hexadecimal notation. If you specify the MD5 keyword, the

fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40

characters.

Usage guidelines

If you set the certificate request mode to auto, but the PKI domain does not have a CA certificate, you

must use this command to set the fingerprint for verifying the validity of the CA root certificate. When an

application, like IKE, triggers the device to request the local certificates, the device automatically obtains

the CA certificate from the CA server. If the obtained CA certificate contains a CA root certificate that is

not stored locally, the device verifies the CA root certificate with the fingerprint. If the PKI domain is not

configured with any fingerprint or a wrong fingerprint, local certificate request fails.

When you import the CA certificate using the pki import command or obtain the CA certificate using the

pki retrieve command, you can choose whether to set the fingerprint of the CA root certificate. If you

specify the fingerprint in the PKI domain but the CA certificate to be imported or the obtained CA

certificate contains a CA root certificate that is not stored locally, the device uses the specified fingerprint

in the PKI domain for verification and requires you to confirm the fingerprint. If you specify a wrong

fingerprint, you cannot import or obtain the CA certificate.

Examples

# In non-FIPS mode, set an MD5 fingerprint for verifying the validity of the CA root certificate.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] root-certificate fingerprint md5

12EF53FA355CD23E12EF53FA355CD23E

# Set an SHA1 fingerprint for verifying the validity of the CA root certificate.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] root-certificate fingerprint sha1

D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

Related commands

• certificate request mode

• pki import

• pki retrieve-certificate

rule

Use rule to create a rule (or statement).

Use undo rule to remove a statement.

Syntax

rule [ id ] { deny | permit } group-name

undo rule id

Default

No statement exists.

Views

PKI certificate access control policy view