< Home

How Do I Manually Import Certificates and an RSA Key Pair?

You can enable the device to generate a certificate request file (an RSA key pair has been generated on the device) and provide this file to a certificate authority (CA), which issues only a local certificate. You only need to import the CA and local certificates provided by the CA to the device memory, without having to import the RSA key pair.

Before manually replacing the CA and local certificates, ensure that the CA and local certificates are not being used by services and run the pki delete-certificate command to delete the certificates. The following example deletes the local certificate.
[HUAWEI] pki delete-certificate local realm abc

The following describes the procedure for manually importing certificates and an RSA key pair:

  1. Enable the device to send certificate request information to the CA in out-of-band mode (web, disk, or email) to apply for a local certificate.

  2. Download the CA certificate, local certificate, and RSA key pair file, and upload them to the device storage media using TFTP.

    Generally, certificates in DER or PEM format and key pairs are in different files, and certificates in PKCS#12 format and key pairs are in the same file.

  3. Import the CA certificate. If there are multiple CA certificates, import all CA certificates.

    For example, the obtained CA certificate file is named rootca.pem.

    <HUAWEI> system-view
[HUAWEI] pki realm abc 
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki import-certificate ca realm abc pem filename rootca.pem

    After the CA certificate has been imported successfully, check CA certificate information.

    [HUAWEI] display pki certificate ca realm abc

  4. Import the local certificate.

    For example, the obtained local certificate file is named localcert.pem.

    [HUAWEI] pki import-certificate ca realm abc pem filename localcert.pem

    After the local certificate has been imported successfully, check local certificate information.

    [HUAWEI] display pki certificate local realm abc

  5. Import the RSA key pair. For the files in PEM or PKCS#12 format, the password for the RSA key pair provided by the CA is also required.

    For example, the obtained RSA key pair file is local_privatekey.pem, and the password is Huawei@123.

    [HUAWEI] pki import rsa-key-pair abc pem local_privatekey.pem password Huawei@123

    After the RSA key pair has been imported successfully, check RSA key pair information.

    [HUAWEI] display pki rsa local-key-pair name abc public

  6. Check whether the imported local certificate and RSA key pair match. If no matching key pair is found, check whether the imported file is correct.

    [HUAWEI] pki match-rsa-key certificate-filename localcert.pem
Info: The file localcert.pem contains certificates 1.
Info: Certificate 1 from file localcert.pem matches RSA key test.
Parent Topic: FAQ About PKI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic