Obtaining a Certificate

To use certificates to authenticate users, the entity needs to obtain a local certificate and CA certificates. A local certificate proves the identity of the entity, and a CA certificate proves that the local certificate is issued by a legal CA.

Context

In the two-node cluster scenario, you are advised to set different certificate expiration dates for the active and standby devices to prevent the active and standby devices from both being unavailable.

You can perform the following operations to obtain the certificates:

  • Configure a PKI domain.

    Before sending a certificate request, create a PKI domain and configure the entity information in the PKI domain.

    A PKI domain is valid only on the local device and unavailable to certificate authorities (CAs) or other devices. Each PKI domain has its own parameters.

  • Manually apply for certificates.

    After the NetEngine 8000 F generates a certificate request file, users send the file to the CA through FTP, disk, or email to apply for certificates from the CA.

  • Manually download certificates.

    After the certificates are generated on the CA server, you can download the CA certificate and local certificate through FTP, disk, or email.

  • Install certificates.

    After obtaining CA certificates and a local certificate, install them on the device to take effect.

Procedure

  • Configure a PKI domain.

    1. Run system-view

      The system view is displayed.

    2. Run pki domain domain-name

      A PKI domain is created, and the PKI domain view is displayed.

      If a non-default key pair is required, perform the following operations:
      1. Run the pki cmp session session-name command to create a CMP session and enter the PKI CMP session view.
      2. Run the cmp request rsa local-key-pair key-name [ regenerate [ key-bit ] ] command to specify a local RSA key pair used in CMP requests.

    3. Run certificate request entity entity-name

      An entity name is specified.

      The entity name must already exist.

    4. Run commit

      The configuration is committed.

  • Apply for a certificate.

    1. Run system-view

      The system view is displayed.

    2. (Optional) Run pki file-format { der | pem }

      The certificate file format is configured.

    3. Run pki request-certificate domain domain-name pkcs10 [ signature-algorithm { sha2-256 | sha2-384 | sha2-512 } ]

      A certificate request file named domain-name.req is generated.

    4. Apply for a local certificate.

      A user can use FTP, a floppy disk, or an email to send a certificate application file to the CA to apply for a local certificate.

    5. (Optional) Run the commit command to commit the configuration.

  • Download the certificates manually.
  • Install the certificate.

    1. Run system-view

      The system view is displayed.

    2. Run pki import-certificate { ca | local | peer } [ domain domainName ] filename file-name

      The CA certificate or local certificate is installed.

      To ensure high security, you are advised not to import certificates that use the MD5 or SHA1 algorithm. The recommended key length of a certificate is 2048 bits or more.

Parent Topic: Configuring PKI Certificate
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >