The certificate load command loads a digital certificate in the Secure Sockets Layer (SSL) policy view.
The undo certificate load command unloads a digital certificate for the SSL policy.
By default, no digital certificate is loaded for the SSL policy.
# Load a PEM digital certificate for the SSL policy.
certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code
# Load an ASN1 digital certificate for the SSL policy.
certificate load asn1-cert cert-filename key-pair { dsa | rsa } key-file key-filename
# Load a PFX digital certificate for the SSL policy.
certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac cipher mac-code | key-file key-filename } auth-code cipher auth-code
# Load a PEM certificate chain for the SSL policy.
certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code cipher auth-code
# Unload a digital certificate for the SSL policy.
undo certificate load
Parameter |
Description |
Value |
|---|---|---|
| pem-cert | Loads a PEM digital certificate for the SSL policy. A PEM digital certificate has a file name extension .pem. A PEM digital certificate transfers text data between systems. |
- |
| cert-filename | Specifies the name of a certificate file. The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory. |
The value is a string of 1 to 64 characters. The file name is the same as that of the uploaded file. |
| key-pair | Specifies the key pair type. | - |
| dsa | Sets the key pair type to DSA. | - |
| rsa | Sets the key pair type to RSA. | - |
| key-file key-filename | Specifies the key pair file. The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory. |
The value is a string of 1 to 64 characters. The file name is the same as that of the uploaded file. |
| auth-code cipher auth-code | Specifies the authentication code of the key pair file. The authentication code verifies user identity to ensure that only authorized clients access the server. |
The value is a string of case-sensitive characters without spaces. If the value begins and ends with double quotation marks (" "), the string of characters can contain spaces. When the value is displayed in plaintext, its length ranges from 1 to 31. When the value is displayed in ciphertext, its length is 48 or 68. A ciphertext password with the length of 32 or 56 characters is also supported. |
| asn1-cert | Loads an ASN1 digital certificate for the SSL policy. An ASN1 digital certificate has a file name extension .der. By default, most browsers support the ASN1 digital certificate. |
- |
| pfx-cert | Loads a PFX digital certificate for the SSL policy. A PFX digital certificate has a file name extension .pfx. A digital certificate can be converted from the PFX format to another format. |
- |
| mac cipher mac-code | Specifies a message authentication code. The message authentication code ensures the packet data reliability and security. |
The value is a string of case-sensitive characters without spaces. If the value begins and ends with double quotation marks (" "), the string of characters can contain spaces. When the value is displayed in plaintext, its length ranges from 1 to 31. When the value is displayed in ciphertext, its length is 48 or 68. A ciphertext password with the length of 32 or 56 characters is also supported. |
| pem-chain | Specifies a PEM certificate chain. |
- |
Usage Scenario
Data transmission security: Uses the symmetric key algorithm to encrypt data.
Message integrity: uses the multiplexed analog component (MAC) algorithm to ensure message integrity.
Identity authentication mechanism: authenticates users based on the digital signatures and certificates.
The Certificate Authority (CA) issues PEM, ASN1, and PFX digital certificates that provide user identity information. Based on digital certificates, users establish trust relationships with partners who require high security.
A digital certificate data includes the applicant information such as the applicant's name, applicant's public key, digital signature of the CA that issues the certificate, and the certificate validity period. A certificate chain can be released when a certificate is sent so that the receiver can have all certificates in the certificate chain.
Prerequisites
Before running the certificate load command, you have run the ssl policy command to create the SSL policy in the system view.
Precautions
You can load a certificate or certificate chain for only one SSL policy. Before loading a certificate or certificate chain, you must unload the existing certificate or certificate chain.
To ensure security, the device automatically saves the key file in the system and deletes the file from the storage medium after a certificate is successfully loaded. It is recommended that you do not delete a certificate or certificate chain that has been successfully loaded; otherwise, services using the SSL policy will be affected.
For device that supports the NOR flash, after the certificate is loaded, the key pair file is stored in the NOR flash, and the file in the security directory is deleted. After the SSL policy is deleted, the file in the NOR flash is deleted. To re-load the certificate, upload the key file again.
# Load an ASN1 digital certificate for the SSL policy.
<HUAWEI> system-view
[HUAWEI] ssl policy ftp_server
[HUAWEI-ssl-policy-ftp_server] certificate load asn1-cert servercert.der key-pair dsa key-file serverkey.der
# Load a PEM digital certificate for the SSL policy.
<HUAWEI> system-view
[HUAWEI] ssl policy ftp_server
[HUAWEI-ssl-policy-ftp_server] certificate load pem-cert servercert.pem key-pair dsa key-file serverkey.pem auth-code cipher 123456
# Load a PFX digital certificate for the SSL policy.
<HUAWEI> system-view
[HUAWEI] ssl policy http_server
[HUAWEI-ssl-policy-http_server] certificate load pfx-cert servercert.pfx key-pair dsa key-file serverkey.pfx auth-code cipher 123456
# Load a PEM certificate chain for the SSL policy.
<HUAWEI> system-view
[HUAWEI] ssl policy http_server
[HUAWEI-ssl-policy-http_server] certificate load pem-chain chain-servercert.pem key-pair dsa key-file chain-servercertkey.pem auth-code cipher 123456