pki import-certificate filename

Function

The pki import-certificate command imports the CA certificate and local certificate obtained through a manual update to the memory. If the domain parameter is specified, the configuration file is imported to a domain. The default domain is a reserved domain and cannot be imported.

Format

pki import-certificate { ca | local | crl | peer } [ domain domainName ] filename file-name

Parameters

Parameter Description Value
ca

Indicates the CA certificate to be imported.

-
local

Indicates the local certificate to be imported.

-
crl

Indicates the CRL certificate to be imported.

-
peer

Indicates the peer certificate to be imported.

-
domain domainName

Indicates the domain name.

The value is a string of 1 to 31 case-sensitive characters.
filename file-name

Indicates the file name of the CA certificate or local certificate.

The value is a string of 1 to 63 case-sensitive characters.

Views

System view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
pki debug

Usage Guidelines

Usage Scenario

The CA certificate and local certificate that are obtained through manual update takes effect after imported to the memory.

Ensure that the CA certificate or local certificate is no larger than 2 MB. Otherwise, the import fails.

Before importing a certificate file, ensure that the certificate file contains only one certificate. Otherwise, the certificate file fails to be imported.

To ensure high security, you are advised not to import a certificate that uses the MD5 or SHA1 algorithm. The key length of the certificate is recommended to be greater than 2048 bits.

Updating the certificate files every 90 days is recommended.

If a certificate file contains other fields than the following ones, the certificate file may fail to be imported.

- Field Field Field
Attribute Issuer subject DN options Subject Alternative Name options
Field C C DNS
Field DC DC email
Field ST ST IP Address
Field L L -
Field O O -
Field OU OU -
Field title title -
Field SN SN -
Field initials initials -
Field GN GN -
Field serialNumber serialNumber -
Field name name -
Field CN CN -
Field dnQualifier dnQualifier -
Field emailAddress emailAddress -
Field unstructuredName unstructuredName -
Field unstructuredAddress unstructuredAddress -
Field pseudonym pseudonym -
Attribute Key usage - -
Attribute AIA(URI) - -
Attribute CDP(URI) - -

Use the following certificate file as an example:

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

70:c8:10:73:20:83:f1:cd

Signature Algorithm: sha1WithRSAEncryption

Issuer: CN=fortest3

Validity

Not Before: Jul 23 15:46:17 2016 GMT

Not After : Jul 28 06:00:04 2016 GMT

Subject: C=CN,DC=huawei,ST=JiangSu,L=NanJing,O=Huawei,OU=router,title=certificate,SN=Yuan,initials=Y,GN=Xinzhu,serialNumber=1234567,name=fan,CN=certifi,dnQualifier=dnQualifier,emailAddress=huawei@huawei.com,unstructuredName=www.huawei.com,unstructuredAddress=10.1.1.3,pseudonym=fan

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Modulus (2048 bit):

00:eb:f9:e9:8c:0f:08:47:10:52:f8:85:85:cd:02:

c9:8a:4e:cb:9d:2a:cf:de:8f:22:54:64:14:0f:1e:

41:54:46:12:37:3f:1c:1f:ee:cd:6f:28:2e:93:25:

8d:8d:1d:02:49:1e:15:b4:55:3b:c9:8d:e1:4a:d3:

00:3a:92:ec:60:2d:9d:c1:31:2a:f7:a5:c3:63:70:

cb:fc:c7:a3:50:0a:3f:16:31:42:af:da:3c:d6:5d:

27:b2:21:74:09:2f:b7:14:61:e6:05:58:b7:5c:0c:

2c:a6:18:49:e4:ab:6a:65:85:9a:9d:b2:81:93:58:

9c:bb:a0:e1:21:bd:f3:58:be:e3:40:43:41:55:36:

14:38:95:e8:16:0c:cb:e0:bb:32:95:71:0e:a9:ca:

6c:a8:f8:24:5c:9a:08:72:a2:9b:88:9a:13:eb:f9:

d2:18:95:23:1e:e5:ba:1d:d0:db:98:b9:a0:c2:da:

f3:c8:e7:0a:8a:46:7d:1a:28:6c:ca:a1:83:c1:8e:

81:73:d4:51:1e:29:db:26:cf:1a:4c:5e:1a:d3:1f:

62:04:ec:75:31:44:cc:f7:b8:06:41:12:31:cd:91:

a8:79:be:3b:ec:c8:de:77:ea:6b:93:41:9e:a5:1c:

05:b9:3b:cb:bf:1e:31:8d:c7:bb:10:59:3a:b8:71:

27:5b

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Extended Key Usage:

TLS Web Client Authentication, E-mail Protection,

X509v3 Subject Alternative Name:

email:huawei@huawei.com, DNS:www.huawei/vrp.com, IP Address:10.1.2.3

X509v3 CRL Distribution Points:

URI:ldap:///CN=rootca,CN=HUAWEI-D59BB23C,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipsec,DC=huawei,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

URI:http://huawei-d59bb23c.ipsec.huawei.com/CertEnroll/rootca.crl

Authority Information Access:

CA Issuers - URI:ldap:///CN=rootca,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipsec,DC=huawei,DC=com?cACertificate?base?objectClass=certificationAuthority

CA Issuers - URI:http://huawei-d59bb23c.ipsec.huawei.com/CertEnroll/HUAWEI-D59BB23C.ipsec.huawei.com_rootca.crt

Signature Algorithm: sha1WithRSAEncryption

89:45:64:20:b4:e0:1b:ff:74:1c:e8:2a:33:35:ab:f5:ce:ec:

ac:d1:70:20:06:2b:1e:75:00:16:d7:87:40:76:52:08:5e:57:

bc:e9:82:93:47:41:d3:e7:7a:21:93:76:a9:9a:31:97:c8:d4:

11:fb:37:48:87:fb:6d:fd:21:07:6a:ff:84:bc:6c:be:94:b0:

03:0e:86:47:c3:ed:b2:5f:8c:39:82:37:30:71:7c:3a:89:10:

2c:09:43:4d:b6:3e:e0:b2:4c:92:9e:f0:f4:3b:0d:f4:35:18:

28:1f:a1:72:43:9f:97:99:c5:7e:77:5d:df:be:8b:fb:bc:75:

8a:40:00:ed:22:d9:4b:4d:e3:e4:93:25:e2:d7:ef:1d:77:4f:

ef:18:aa:16:ad:f4:7b:5e:55:50:f6:7c:c9:6b:72:34:67:21:

c2:24:99:a4:70:ac:ff:2e:28:4d:2d:8b:18:01:e1:c1:ba:2c:

08:3d:64:56:21:97:99:49:a5:02:f0:3a:bf:0e:96:89:37:26:

c8:db:9e:90:12:e8:8f:24:8b:2c:d7:3a:cf:b9:d0:bb:23:ad:

ca:1a:b3:e5:95:f2:93:26:f5:1d:06:40:67:50:60:16:ae:9a:

1f:5e:a7:62:21:12:18:93:22:23:12:ba:f4:79:f1:aa:9f:af:

ca:37:d9:22

Example

# Import CA certificate local.cer.
<HUAWEI> system-view
[~HUAWEI] pki import-certificate ca filename ca.cer
SHA1 fingerprint: FCCB 7E4E 9385 98D0 33A0 5DD2 4623 4438 64DF 5016
Confirm to import the CA? [Y/N]:
Parent Topic: PKI Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >