display pki realm

Function

The display pki realm command displays PKI realm information.

Format

display pki realm [ realm-name ]

Parameters

Parameter	Description	Value
realm-name	Displays detailed information about a PKI realm. If the parameter is left blank, information about all PKI realms is displayed.	The PKI realm name must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

This command displays details about KI realms, including PKI realm name, associated CA, CA certificate subject name, URL of the certificate enrolled through SCEP, PKI entity name, digital fingerprint algorithm of CA certificate, and digital fingerprint of CA certificate.

Example

# Display information about all PKI realms.

<HUAWEI> display pki realm abc
 Realm Name : abc                                                               
 CA ID: CA_ROOT                                                                 
 CA Name: "/CN=ca_root"                                                         
 Enrollment URL: http://10.136.7.196:8080/certsrv/mscep/mscep.dll               
 Certificate Request Interval(Minutes): 1                                       
 Certificate Request Times: 5                                                   
 Enrollment Mode: RA                                                            
 Enrollment Method: SCEP                                                        
 Entity Name: abc                                                               
 CA Certificate Fingerprint Arithmetic: sha256                                  
 CA Certificate Fingerprint: e71add0744360e91186b828412d279e06dcc15a4ab4bb3d1384
2820396b526a0 
 OCSP Nonce: Enable
 OCSP URL: -
 Method for Getting CRL: HTTP                                                   
 CDP URL: -                                                                     
 Certificate Revocation Check Method: -                                         
 RSA Key Name: abc                                                              
 Auto-enroll: Enable 
 Auto-enroll Percent: 100% 
 Auto-enroll Regenerate: Enable
 Auto-enroll Regenerate Key-size: 2048 
 Auto-enroll Updated-effective: Disable 
 Password Cipher: Enable 
 Password: %^%#:,3/YY@~[@(`1DBbZ&o$s`B\@S+3:UT0tF9EzSM:%^%# 
 Crl Update-period(Hours): 8                                                    
 Crl Cache: Enable                                                              
 Key-usage: -                                                                   
 Vpn-instance: -                                                                
 Source IP: -                                                            
 Enrollment-request Signature Message-digest-method: SHA256
                                                                                
 Total Number: 1

**Table 1** Description of the **display pki realm** command output
Item	Description
Realm Name	PKI realm name. It is configured using the pki realm (system view) command.
CA ID	ID of the CA associated with the PKI realm.
CA Name	Subject name of a CA certificate.
Enrollment URL	URL of the certificate enrolled on the SCEP server. It is configured using the enrollment-url command.
Certificate Request Interval(Minutes)	Interval between two certificate enrollment status queries.
Certificate Request Times	Maximum number of certificate enrollment status queries.
Enrollment Mode	Certificate enrollment mode (whether enrolled through RA). It is configured using the enrollment-url command.
Enrollment Method	Certificate enrollment method, including: SCEP: obtains certificate from CA using the SCEP protocol. Self-Signed: obtains certificate using self-signature.
Entity Name	PKI entity name. It is configured using the entity command.
CA Certificate Fingerprint Arithmetic	Fingerprint algorithm of the CA certificate. It is configured using the fingerprint command.
CA Certificate Fingerprint	Digital fingerprint of the CA certificate. It is configured using the fingerprint command.
OCSP Nonce	Whether a nonce extension is added to the OCSP request sent by a PKI entity. Enable: A nonce extension is added to the OCSP request sent by a PKI entity. Disable: A nonce extension is not added to the OCSP request sent by a PKI entity. It is configured using the ocsp nonce enable command.
OCSP URL	OCSP server's URL. It is configured using the ocsp url command.
Method for Getting CRL	Method of obtaining CRL. SCEP: updates the CRL automatically using SCEP. It is configured using the crl scep command. HTTP: updates the CRL automatically using HTTP. It is configured using the crl http command.
CDP URL	URL of the CDP. It is configured using the cdp-url command.
Crl Cache	Whether the PKI realm is allowed to use the CRL in cache. Enable: The PKI realm is allowed to use the CRL in cache. Disable: The PKI realm is not allowed to use the CRL in cache. To configure whether to allow the PKI realm to use the CRL in cache, run the crl cache command.
Certificate Revocation Check Method	Certificate status check method. It is configured using the certificate-check command.
RSA Key Name	RSA key. It is configured using the rsa local-key-pair command.
Auto-enroll	Whether automatic certificate enrollment is enabled. Enable: Automatic certificate enrollment is enabled. Disable: Automatic certificate enrollment is disabled. It is configured using the auto-enroll command.
Auto-enroll Percent	The percentage of the certificate's validity period. It is configured using the auto-enroll command.
Auto-enroll Regenerate	Whether the RSA key pair will be generated during certificate updates. Enable: The RSA key pair will be generated during certificate updates. Disable: The RSA key pair will not be generated during certificate updates. It is configured using the auto-enroll command.
Auto-enroll Regenerate Key-size	RSA key length. It is configured using the auto-enroll command.
Auto-enroll Updated-effective	Whether the certificate takes effect immediately after being updated. Enable: The certificate takes effect immediately after being updated. Disable: The certificate does not take effect immediately after being updated. It is configured using the auto-enroll command.
Password Cipher	Whether the challenge password can be used. Enable: The challenge password can be used. Disable: The challenge password cannot be used.
Password	Password used to apply for or revoke a certificate. It is configured using the password (PKI realm view) command.
Crl Update-period(Hours)	CRL update interval. It is configured using the crl update-period command.
Key-usage	Purpose information carried in a certificate request packet. It is configured using the key-usage command.
Vpn-instance	VPN to which the PKI realm is added. It is configured using the vpn-instance command.
Source IP	Source IP address used by the device to communicate with the PKI server. It is configured using the source command.
Enrollment-request Signature Message-digest-method	Digest method used for the enrollment request packet of signed certificate. It is configured using the enrollment-request signature message-digest-method command.