The certificate load command loads a certificate to an Secure Sockets Layer (SSL) policy.
The undo certificate load command unloads a certificate from an SSL policy.
By default, no certificates are loaded to SSL policies.
certificate load { pem-cert | pem-chain } certFile key-pair keyType key-file keyFile auth-code [ cipher authCode ]
certificate load pfx-cert certFile key-pair keyType key-file keyFile auth-code [ cipher authCode ]
certificate load pfx-cert certFile key-pair keyType mac [ cipher mac-code auth-code cipher authCode ]
undo certificate load
| Parameter | Description | Value |
|---|---|---|
| pem-cert |
Loads a PEM certificate to an SSL policy. The PEM format is most commonly used. The PEM format is applicable to text files transmitted between systems. |
- |
| pem-chain |
Loads a PEM certificate chain to an SSL policy. |
- |
| certFile |
Specifies the name of a certificate file. This file must be saved in the security sub-directory of the system directory. |
The value is a string of 1 to 64 characters. The specified file name must be consistent with the name of the uploaded file. When quotation marks are used around the string, spaces are allowed in the string. |
| key-pair keyType |
Indicates the key pair type. |
The value is an enumerated type, which can be:
To ensure high security, do not use the RSA key pair whose length is less than 2048 digits. |
| key-file keyFile |
Specifies the name of a key pair file. This file must be saved in the security sub-directory of the system directory. |
The value is a string of 1 to 64 characters. The specified file name must be consistent with the name of the uploaded file. When quotation marks are used around the string, spaces are allowed in the string. |
| auth-code |
Specifies a PFX trusted-CA file. |
- |
| cipher authCode |
Specifies the authentication code of the key pair file. The authentication code is used for identity authentication, ensuring that only authorized users can log in to a server. |
The value is a string of case-sensitive characters that can be letters or digits. The password can be a string of 1 to 31 characters in simple text or a string of 32 to 168 characters in encrypted text. Except the question mark (?) and space. However, when quotation marks (") are used around the password, spaces are allowed in the password. |
| cipher mac-code |
Specifies the message authentication code. |
The value is a string of case-sensitive characters that can be letters or digits. The password can be a string of 1 to 31 characters in simple text or a string of 32 to 168 characters in encrypted text. |
| pfx-cert |
Loads a PFX certificate to an SSL policy. The PFX format is a universal digital certificate format. The file name extension of a PFX digital certificate is .pfx. The PFX format is a binary format that can be converted into the PEM format. |
- |
| mac |
Specifies the message authentication code. |
- |
Usage Scenario
SSL provides the following security mechanisms:
A digital certificate in the PEM or PFX format is issued by a Certificate Authority (CA). The digital certificate describes the identity of a digital user, helping establish a trusted relationship with the peer to meet high security requirements.
The digital certificate includes information such as the name of a person or an organization that applies for the certificate, public key, digital-signed signature of the CA that issues the digital certificate, and validity period of the digital certificate. A CA can issue a certificate chain along with a digital certificate. After receiving a certificate chain, the receiver owns all the certificates on the chain.
Prerequisites
The ssl policy command has been used in the system view to create an SSL policy.
Precautions
Only one certificate or certificate chain can be loaded to an SSL policy. If a certificate or certificate chain has been loaded, unload the certificate or certificate chain before loading a new certificate or certificate chain.
After a certificate is successfully loaded, the corresponding key pair file will be deleted to improve security.
If the PEM certificate loaded to an SSL policy is not in X.509v3 format, the system displays a message indicating risks and recommending X.509v3 digital certificates. You can also run the display security risk feature ssl command to view the risk message.
For TLS1.3, load the RSA certificate with the SHA-256 or later hash algorithm signature
The SSL policy specifies the SSL version to be associated with the cipher suite list.
TLS1.3 is incompatible with the DSA certificate. After the certificate is loaded, the TLS1.3 feature is disabled.
TLS1.3 is incompatible with the certificate whose signature algorithm is SHA1. After the certificate is loaded, TLS1.3 is disabled.
To use TLS1.3 properly, load an RSA certificate with an SHA-256 or later hash algorithm signature.
If an RSA certificate is loaded to the SSL server, the certificate verification algorithm configured on the client is the DSS algorithm suite, which does not take effect.
If a DSA certificate is loaded to the SSL server, the certificate verification algorithm RSA configured on the client does not take effect.
To reduce security risks, you are advised to load the officially applied certificates and key pairs.
<HUAWEI> system-view [~HUAWEI] ssl policy policy1 [*HUAWEI-ssl-policy-policy1] certificate load pem-cert servercert.pem key-pair dsa key-file serverkey.pem auth-code cipher huawei-123456
<HUAWEI> system-view [~HUAWEI] ssl policy policy1 [*HUAWEI-ssl-policy-policy1] certificate load pfx-cert servercert.pfx key-pair rsa key-file serverkey.pfx auth-code cipher huawei-123456
<HUAWEI> system-view [~HUAWEI] ssl policy policy1 [*HUAWEI-ssl-policy-policy1] certificate load pem-chain chain-servercert.pem key-pair rsa key-file chain-servercertkey.pem auth-code cipher huawei-123456