R0106-HP MSR Router Series Security Configuration Guide(V7)
215
Ste
p
Command
Remarks
2. Export certificates.
• Export certificates in DER format:
pki export domain domain-name der { all |
ca | local } filename filename
• Export certificates in PKCS12 format:
pki export domain domain-name p12 { all |
local } passphrase p12passwordstring
filename filename
• Export certificates in PEM format:
{ Low encryption:
pki export domain domain-name pem
{ { all | local } [ des-cbc
pempasswordstring ] | ca } [ filename
filename ]
{ High encryption:
pki export domain domain-name pem
{ { all | local } [ { 3des-cbc | aes-128-cbc
| aes-192-cbc | aes-256-cbc | des-cbc }
pempasswordstring ] | ca } [ filename
filename ]
Configure at least one
command.
If you do not specify a file name
when you export a certificate in
PEM format, the certificate is
displayed on the terminal.
Removing a certificate
CAUTION:
W
hen you remove the CA certificate in a domain, the system also removes the local certificates, peer
certificates, and CRLs in the same PKI domain.
Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private
key is compromised, do the following tasks:
1. Remove the local certificate.
2. Use public-key local destroy to destroy the existing local key pair.
3. Use public-key local create to generate a new key pair.
4. Request a new certificate.
To remove a certificate:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Remove a certificate.
pki delete-certificate domain domain-name { ca |
local | peer [ serial serial-num ] }
If no serial number is
specified, the command
removes all peer
certificates.
Configuring a certificate access control policy
You can configure a certificate access control policy on a server to control user access, securing the
server. For example, in an HTTPS application, you can configure a certificate access control policy on an
HTTPS server to verify the validity of client certificates.