(Optional) Installing a CA Certificate for a PKI Entity

Context

A downloaded CA certificate must be imported into the device memory to take effect. The device will store the imported certificate file to the ca_config.ini file in the default directory and automatically load the certificate file after restarting.

To prevent a failure to install the CA certificate, ensure that the CA certificate file size does not exceed 1 MB.

When the SCEP is used, the device automatically installs the CA certificate, and you do not need to manually install the CA certificate.

Procedure

Run system-view
The system view is displayed.
Run pki import-certificate ca realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ]
Or run pki import-certificate ca realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

The CA certificate is imported into the device memory.
(Optional) Run pki set-certificate expire-prewarning day
The expiry prewarning time of the CA certificate in the device memory is configured.

The default expiry prewarning time of the CA certificate in the device memory is 7 days.

Follow-up Procedure

To copy a CA certificate to another device, run the pki export-certificate ca realm realm-name { pem | pkcs12 } [ filename filename ] command. Subsequently, the CA certificate is exported into the device storage. Subsequently, the CA certificate can be obtained through FTP or SFTP.
If a CA certificate expires or is not in use, run the pki delete-certificate ca realm realm-name command to delete the CA certificate from the device memory.