< Home

A Local Certificate Failed to Be Obtained

Fault Symptom

  • The administrator applies for a local certificate in offline mode. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • The PKI entity configuration is incorrect.

    • The challenge password is incorrect or not configured.

    • The configuration about downloading the local certificate using HTTP is incorrect.

  • The administrator applies for a local certificate using SCEP or CMPv2. However, the local certificate does not exist in the device storage. The possible causes are as follows:

    • No CA certificate exists in the PKI realm.

    • The PKI entity is incorrectly configured or not configured.

    • The trusted CA name is incorrect or not configured.

    • The URL of certificate enrollment server is incorrect or not configured.

    • The RSA key pair is not configured.

    • The source interface for TCP connection is incorrect.

    • Digest method used for the signed certificate enrollment request is incorrect.

    • The challenge password is incorrect or not configured.

    • The reference and secret values of MAC are incorrect or not configured.

    • The reference and secret values of MAC are incorrect or not configured.

    • The certificate for identity verification is incorrectly configured.

    • The certificate for identity verification is incorrectly configured.

Procedure

  • Obtain a local certificate manually.
    1. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    2. Check whether the challenge password is correct.

      Confirm that the CA server requires a challenge password, and ensure that the challenge password configured on the device is the same as that of the CA server. To set the challenge password, run pki enroll-certificate.

    3. Check whether the configuration about downloading a CA certificate using HTTP is correct.

      If not, modify the configuration using the pki http command.

  • Obtain a local certificate using SCEP or CMPv2.
    1. Check whether the CA certificate has been imported to the device memory.

      To view the CA certificate in memory, run display pki certificate.

      If no CA certificate exists, obtain a CA certificate and run pki import-certificate to import the certificate to memory.

    2. Check whether the PKI entity is correctly configured.

      To view the configuration of a PKI entity in a PKI realm, run the display pki entity command.

      Modify the incorrect configurations, such as country code. For details, see Configuring a PKI Entity.

    3. Check whether the CA certificate application configuration is correct in the PKI realm or CMP session.

      • PKI realm

        Run the display pki realm command in any view or the display this command in the PKI realm view.

        The following is a sample of local certificate application configuration:
        pki realm test                                                                   
 ca id ca_server   //Specify the CA trusted by the PKI realm.
 enrollment-url http://10.13.14.15:8080/certsrv/mscep/mscep.dll   //Configure the URL for the certificate enrollment server.
 entity zzz   //Specify the PKI entity.
 rsa local-key-pair 8   //Specify the RSA key pair.
 password cipher %^%#\1HN-bn(k;^|O85OAtYF3(M4%^%#   //Configure the challenge password for SCEP certificate application, which is the same as that on the CA server.
 source interface Vlanif100   //Specify the source interface (a Layer 3 interface with IP address assigned) for the TCP connection. By default, source interface of a TCP connection is the egress interface.
 enrollment-request signature message-digest-method sha256   //Configure the digest algorithm used by the signed certificate enrollment request, which is the same as that on the CA server.

        Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate for a PKI Entity Through SCEP.

      • CMP session

        Run the display this command in the CMP session view.

        The following is a sample of CA certificate application configuration:
        pki cmp session cmp                                                             
 cmp-request ca-name "C=cn,ST=beijing,L=SD,O=BB,OU=BB,CN=BB"   //Configure the CA name. The field order in a CA name must be the same as that in the CA certificate.
 cmp-request authentication-cert local.cer   //Configure the identity authentication certificate in the CMPv2 request, which is used for certificate update or certificate application for another device.
 cmp-request entity user01   //Specify the PKI entity.
 cmp-request server url http://10.3.0.1:8080   //Configure the URL for the CMPv2 server.
 cmp-request rsa local-key-pair rsa  regenerate   //Specify the RSA key pair.
 cmp-request message-authentication-code 1234 %^%#ZodFBGH[^BkU2(~>[NRBv|#b>se|@I7"'A,llG_B%^%#   //Configure the reference and secret values for MAC, which must be the same as those on the CA server.

        Ensure that the configuration is correct. For details, see Applying for and Updating the Local Certificate Through CMPv2.

Parent Topic: Troubleshooting PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic