certificate auto-update enable

Function

The certificate auto-update enable command enables the CMPv2 automatic certificate update function.

The undo certificate auto-update enable command disables the function.

By default, the CMPv2 automatic certificate update function is disabled.

Format

certificate auto-update enable

undo certificate auto-update enable

Parameters

None

Views

PKI CMP session view, VS PKI CMP session view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
pki write

Usage Guidelines

Usage Scenario

A certificate authority (CA) specifies the validity period of a certificate before issuing the certificate. If a certificate has expired, the certificate cannot be used.

Configuration Impact

After the certificate auto-update enable command is executed, the device automatically initiates a certificate update request and determines whether to create a new RSA key pair based on the certificate update expire-time command configuration. After the device obtains a new certificate, it uses the new certificate and RSA key pair to replace the original ones. The certificate in the CF card, certificate in the memory, and certificate used for IKE negotiation are all replaced.

Precautions

After you run the certificate auto-update enable command on a device, the device checks existing certificate-related configurations. If the conditions for updating certificates are met, the command can be executed. If the conditions are not met, the device displays a prompt message.

Example

# Enable CMPv2 automatic certificate update.
<HUAWEI> system-view
[~HUAWEI] rsa pki local-key-pair key-a create
[*HUAWEI] commit
[~HUAWEI] pki entity entitya
[*HUAWEI-pki-entitya] common-name DeviceA
[*HUAWEI-pki-entitya] quit
[*HUAWEI] commit
[~HUAWEI] pki domain domaina
[*HUAWEI-pki-domaina] pki cmp session session-a
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request entity entitya
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request rsa local-key-pair key-a regenerate
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request ca-name "/C=cn/ST=beijing/L=shangdi/O=BB/OU=BB/CN=AB"
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request server url http://172.16.73.168:8080
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request authentication-cert cert-a.cer
[*HUAWEI-pki-domaina-pki-cmp-session-a] quit
[*HUAWEI-pki-domaina] pki cmp initial-request
[*HUAWEI-pki-domaina] quit
[*HUAWEI] commit
[~HUAWEI] pki import-certificate local filename session-a_ir.cer
[~HUAWEI] pki import-certificate ca filename session-a_ca0.cer
[~HUAWEI] pki domain domaina
[*HUAWEI-pki-domaina] pki cmp session session-a
[*HUAWEI-pki-domaina-pki-cmp-session-a] cmp request authentication-cert session-a_ir.cer
[~HUAWEI-pki-domaina-pki-cmp-session-a] certificate auto-update enable
Parent Topic: PKI Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >