Configuring CMP-based Certificate Management

The following types of CMP requests are used in the CMP-based certificate application process: initialization request (IR) and key update request (KUR).

Prerequisites

Before configuring automatic update, verify the functions to ensure that the network and server are normal.

Context

The NetEngine 8000 F supports IRs and KURs.

  • IR: When the NetEngine 8000 F does not obtain a certificate authorized by a carrier, it needs to send an IR to request an identity authentication certificate.
  • KUR: Each certificate has a validity period with definite start and end dates. Two devices check whether each other's certificate has expired during an IKE negotiation. The IKE negotiation fails if either device's certificate expires. Therefore, the NetEngine 8000 F needs to update its certificate before the certificate expires. Automatic certificate update can be configured on the NetEngine 8000 F.

Certificates obtained using IRs are stored on the CF card but do not take effect. These certificates take effect only after they are imported to the memory using a command. Certificates obtained using KURs can be automatically saved in the memory if the KUR function is enabled.

Perform the following steps on the NetEngine 8000 F where you need to apply for a certificate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki domain domain-name

    The PKI domain name configuration view is displayed.

  3. Run pki cmp initial-request

    IRs are used to apply for a certificate for the local device.

  4. (Optional) Stop the process of polling a CMP request.

    If the NetEngine 8000 F does not receive any response from the connected CA server after sending a CMP request, it polls the CMP request. You can perform the following steps to stop the CMP request polling process.

    1. Run the pki cmp session session-name command to enter the CMP session view.
    2. Run the cmp poll-request stop command to manually stop the process of polling a CMP request.
    3. Run the quit command to return to the PKI domain name configuration view.
  5. Run quit

    Return to the system view.

  6. Run pki import-certificate local [ domain domainName ] filename file-name

    The local certificate is imported.

    To ensure high security, you are advised not to import certificates that use the MD5 or SHA1 algorithm. The recommended key length of a certificate is 2048 bits or more.

  7. Run pki cmp session session-name

    The CMP session view is displayed.

  8. Run cmp request authentication-cert cert-name

    The certificate to be carried in a CMPv2 request for identity authentication is configured.

  9. Run quit

    Return to the system view.

  10. Run pki import-certificate ca [ domain domainName ] filename file-name

    The CA certificate is imported.

    To ensure high security, you are advised not to import certificates that use the MD5 or SHA1 algorithm. The recommended key length of a certificate is 2048 bits or more.

  11. (Optional) Enable the automatic certificate update function.
    1. Run the pki domain domain-name command to enter the PKI domain name configuration view.
    2. Run the pki cmp session session-name command to enter the CMP session view.
    3. Run the certificate auto-update enable command to enable the automatic certificate update.
    4. (Optional) Run the certificate update expire-time valid-percent command to configure the percentage of the time for automatic certificate update.
  12. Run commit

    The configuration is committed.

  13. Verify the configuration.

    If IR-based certificate application succeeds, DomainName_ir.cer and DomainName_caX.cer files exist on the CF card. There are several DomainName_caX.cer files, such as, DomainName_ca0.cer, DomainName_ca1.cer, and DomainName_ca2.cer.

Parent Topic: Configuring CMP-based Certificate Management
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >