certificate load (upgrade-compatible command)

Function

The certificate load command loads a digital certificate in the Secure Sockets Layer (SSL) policy view.

The undo certificate load command unloads a digital certificate for the SSL policy.

By default, no digital certificate is loaded for the SSL policy.

Format

# Load a PEM digital certificate for the SSL policy.

certificate load pem-cert cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code

# Load a PFX digital certificate for the SSL policy.

certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac mac-code | key-file key-filename } auth-code auth-code

# Load a PEM certificate chain for the SSL policy.

certificate load pem-chain cert-filename key-pair { dsa | rsa } key-file key-filename auth-code auth-code

Parameters

Parameter	Description	Value
pem-cert	Loads a PEM digital certificate for the SSL policy. A PEM digital certificate has a file name extension .pem. A PEM digital certificate transfers text data between systems.	-
cert-filename	Specifies the name of a certificate file. The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory.	The value is a string of 1 to 64 characters. The file name is the same as that of the uploaded file.
key-pair	Specifies the key pair type.	-
dsa	Sets the key pair type to DSA.	-
rsa	Sets the key pair type to RSA.	-
key-file key-filename	Specifies the key pair file. The file is in the subdirectory of the system directory security. If the security directory does not exist in the system, create this directory.	The value is a string of 1 to 64 characters. The file name is the same as that of the uploaded file.
auth-code auth-code	Specifies the authentication code of the key pair file. The authentication code verifies user identity to ensure that only authorized clients access the server.	When the authentication code is in plain text, the value is a string of 1 to 31 case-sensitive characters without any space.
pfx-cert	Loads a PFX digital certificate for the SSL policy. A PFX digital certificate has a file name extension .pfx. A digital certificate can be converted from the PFX format to another format.	-
mac mac-code	Specifies a message authentication code. The message authentication code ensures the packet data reliability and security.	When the authentication code is in plain text, the value is a string of 1 to 31 case-sensitive characters without any space.
pem-chain	Specifies a PEM certificate chain.	-

Views

SSL policy view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SSL security mechanism includes:

Data transmission security: Uses the symmetric key algorithm to encrypt data.
Message integrity: uses the multiplexed analog component (MAC) algorithm to ensure message integrity.
Identity authentication mechanism: authenticates users based on the digital signatures and certificates.

The Certificate Authority (CA) issues PEM, ASN1, and PFX digital certificates that provide user identity information. Based on digital certificates, users establish trust relationships with partners who require high security.

A digital certificate data includes the applicant information such as the applicant's name, applicant's public key, digital signature of the CA that issues the certificate, and the certificate validity period. A certificate chain can be released when a certificate is sent so that the receiver can have all certificates in the certificate chain.

Prerequisites

Before running the certificate load command, you have run the ssl policy command to create the SSL policy in the system view.

Precautions

You can load a certificate or certificate chain for only one SSL policy. Before loading a certificate or certificate chain, you must unload the existing certificate or certificate chain.
When you configure an SSL policy to load a certificate or certificate chain, ensure that the maximum length of the key pair in the certificate or certificate chain is 2048 bits. If the length of the key pair exceeds 2048 bits, the certificate file or certificate chain file cannot be uploaded to the device.

Example

# Load a PEM digital certificate for the SSL policy.

<HUAWEI> system-view

[HUAWEI] ssl policy ftp_server

[HUAWEI-ssl-policy-ftp_server] certificate load pem-cert servercert.pem key-pair dsa key-file serverkey.pem auth-code 123456

# Load a PFX digital certificate for the SSL policy.

<HUAWEI> system-view

[HUAWEI] ssl policy http_server

[HUAWEI-ssl-policy-http_server] certificate load pfx-cert servercert.pfx key-pair dsa key-file serverkey.pfx auth-code %$%$"DlqKik*GE*~`u4H+LFJ(K-=%$%$

# Load a PEM certificate chain for the SSL policy.

<HUAWEI> system-view

[HUAWEI] ssl policy http_server

[HUAWEI-ssl-policy-http_server] certificate load pem-chain chain-servercert.pem key-pair dsa key-file chain-servercertkey.pem auth-code 123456