< Home

A CA Certificate Failed to Be Obtained

Fault Symptom

  • The network administrator has manually applied for a CA certificate; however, the CA certificate does not exist in the device storage. The reason is that the configuration about downloading CA certificates using HTTP is incorrect.

  • The administrator applies for a CA certificate using SCEP. However, the CA certificate does not exist in the device storage. The possible causes are as follows:

    • The command for obtaining the CA certificate is not executed.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The PKI entity is not configured.

    • The fingerprint is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.

Procedure

  • Obtain a CA certificate manually.

    Check whether the configuration about downloading a CA certificate using HTTP is correct. If not, modify the configuration using the pki http command.

  • Obtain a CA certificate using SCEP.
    1. Check whether the pki get-certificate command has been executed in the system view.

      If not, run the pki get-certificate command. You will be promoted if the configuration about CA certificate application is incorrect.

    2. Check whether the CA certificate application configuration is correct in the PKI realm.

      Run the display pki realm command in any view or the display this command in the PKI realm view.

      The following is a sample of CA certificate application configuration:
      pki realm test                                                                   
 ca id ca_server   //Specify the CA trusted by the PKI realm.
 enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll   //Configure the URL for the certificate enrollment server.
 entity zzz   //Specify the PKI entity.
 fingerprint sha1 7a34d94624b1c1bcbf6d763c4a67035d5b578eaf   //Configure the fingerprint for CA certificate verification. The fingerprint is obtained from the CA server.
 rsa local-key-pair 8   //Specify the RSA key pair.
 source interface GigabitEthernet0/0/2   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.

      Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate for a PKI Entity Through SCEP.

Parent Topic: Troubleshooting PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >