pki import-certificate

Function

The pki import-certificate command imports a certificate to the device memory.

Format

pki import-certificate { ca | local } realm realm-name { der | pkcs12 | pem } [ filename filename ] [ replace ] [ no-check-validate ] [ no-check-hash-alg ]

pki import-certificate { ca | local } realm realm-name pkcs12 filename filename [ no-check-validate ] [ no-check-hash-alg ] password password

pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ]

pki import-certificate ocsp realm realm-name pkcs12 filename filename password password

Only devices in NETCONF mode support the ocsp parameter.

Parameters

Parameter	Description	Value
ca	Imports a CA certificate. For example, when the device works as an SSL proxy, import the SSL proxy CA certificate and use the private key in the certificate to sign the SSL client certificate again.	-
local	Imports a local certificate.	-
realm realm-name	Specifies the PKI realm name of the imported certificate.	The PKI realm name must already exist. NOTE: The domain name cannot contain spaces. Otherwise, the certificate cannot be imported.
der	Imports a certificate in DER format.	-
pkcs12	Imports a certificate in PKCS12 format.	-
pem	Imports a certificate in PEM format.	-
filename filename	Specifies the name of the imported certificate.	The file name must already exist.
replace	Deletes the original certificate and RSA key pair and imports the new certificate when there are repeated certificates in the domain. NOTE: If the RSA key pair of the original certificate is not referenced by other domains, the certificate and key pair are deleted. If the RSA key pair of the original certificate is referenced by other domains or a CMP session, only the original certificate is deleted but the key pair is not deleted.	-
no-check-validate	Indicates whether to perform validity check on the imported certificate.	-
no-check-hash-alg	Indicates whether to check the hash algorithm used for the signature of the imported certificate.	-
ocsp	Imports the Online Certificate Status Protocol (OCSP) server's certificate.	-
password password	Specifies the decryption password of the certificate. The password is the same as the password configured using the pki export-certificate command.	The value must be the name of an existing decryption password of the certificate.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After a certificate is saved to the storage, run this command to import the certificate to the memory for it to take effect.

The device supports the following certificate import modes:

terminal: Import or copy the certificate file of the peer to the local device. That is, you can open the PEM certificate file using a text tool and copy the certificate content to the local device.
file: The filename parameter is specified to import the certificate file of the peer.

Multiple certificates can be imported on the device, including the CA certificate, local certificate, and private key.

If you do not know the format of the certificate you want to import, configure each format in turn and check whether the certificate is successfully imported.

Prerequisites

The PKI realm has been created using the pki realm (system view) command, and the certificate file already exists on the storage device.

Precautions

If a certificate file contains a key pair file, the pki import-certificate command imports only the certificate file, but not the key pair file. To import the key pair file, run the pki import rsa-key-pair command after the pki import-certificate command, or run the pki import rsa-key-pair command to import the certificate and key pair files simultaneously.

It is not recommended that multiple local certificates be imported into the same PKI realm. Otherwise, certificate-related services may use the certificates that do not match the services, causing services to become unavailable.

When a certificate in pkcs12 format is imported, the PKI system deletes the file name extension of the original certificate file, adds _localx.cer to generate a new file name, and saves it to the storage component. Therefore, the name of the certificate file to be imported should be less than 50 characters, so the total certificate file name does not exceed 64 characters, and the certificate file cannot be imported to the storage component.

The device supports the import of digital certificates generated through the RSA encryption algorithm or SM2 key hash algorithm.

Example

# Import a local certificate to the PKI realm abc in file transfer mode.

<HUAWEI> system-view
[HUAWEI] pki realm abc 
[HUAWEI-pki-realm-abc] quit
[HUAWEI] pki import-certificate local realm abc pem filename local.cer
 Info: Succeeded in importing the certificate.