A digital certificate, which a user applies for from a trusted certificate authority (CA), provides multiple services, such as identity authentication, access control, and integrity and confidentiality assurance, for IPsec, SSH, SSL, and other security features.
For security purposes, the validity period of a digital certificate is specified when the digital certificate is issued. An expired digital certificate does not pass verification and therefore cannot be used. Because certificate expiration adversely affects network services, you need to periodically perform command- or alarm-based queries to check whether certificates are about to expire or have expired.
Methods of Certificate Expiration Query
<HUAWEI> display pki ca_list
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
49:71:c8:f9:31:04:3e:1b:42:bc:29:f6:bb:06:40:33:b3:f7:53:d9
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=root,OU=HW,O=HW,L=NJ,ST=JS,C=CN
Validity
Not Before: Jun 16 01:01:45 2021 GMT
Not After : Jun 16 01:01:45 2022 GMT
<HUAWEI> display alarm active
1:Critical 2:Major 3:Minor 4:Warning
-------------------------------------------------------------------------------
Sequence AlarmId Level Date Time Description
-------------------------------------------------------------------------------
155 0xF100E5 1 2023-10-29 The local certificate is invalid. (LocalC
19:21:54 ertStartTime=2021-06-16 06:34:45, LocalCe
rtFinishTime=2022-06-16 06:34:45, LocalCe
rtIssuer=CN=root, LocalCertSubject=CN=R1)
-------------------------------------------------------------------------------
Certificate Update Procedure
For details, see "Updating the Expired Local Certificate and CRL Certificate" in Configuration > Security > PKI Configuration > Maintaining PKI.
A certificate can be updated in offline or CMP mode. The following uses the CMP mode as an example to describe how to implement an automatic certificate update. Before performing relevant operations, ensure that the CA server has been configured so that it can automatically issue certificates. In addition, in the case of initial authentication, check that the device has been preconfigured with an external certificate, such as abc.cer involved in 1, for mutual authentication with the CA server.
[~HUAWEI] rsa pki local-key-pair abc create Info: The name of the new RSA key will be:abc. Info: The name of the new RSA key will be:abc. The range of public key size is (2048 ~ 4096). NOTES: If the key modulus is greater than 2048, it will take a few minutes. Input the bits in the modulus[default = 2048]: Info: Operating, please wait for a moment.......done. Info: Create RSA local-key-pair success. <HUAWEI> system-view [~HUAWEI] pki entity abc [*HUAWEI] commit [~HUAWEI-pki-entity-abc] common-name HUAWEI [*HUAWEI-pki-entity-abc] commit [~HUAWEI-pki-entity-abc] quit [~HUAWEI] pki domain abc [*HUAWEI-pki-domain-abc] pki cmp session abc [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request entity abc [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request rsa local-key-pair k abc regenerate 4096 [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request ca-name "/C=CN/O=JIT/CN=CMPSignCert" [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request authentication-cert abc.cer [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request server url http://10.10.10.10:10000/cmp [*HUAWEI-pki-domain-abc-pki-cmp-session-abc] commit [~HUAWEI-pki-domain-abc-pki-cmp-session-abc] quit [~HUAWEI-pki-domain-abc] pki cmp initial-request [~HUAWEI-pki-domain-abc] quit
[~HUAWEI] pki import-certificate local filename abc_ir.cer [~HUAWEI] pki import-certificate ca filename abc_ca0.cer [~HUAWEI] pki import-certificate ca filename abc_ca1.cer
[~HUAWEI] pki domain abc [~HUAWEI-pki-domain-abc] pki cmp session abc [~HUAWEI-pki-domain-abc-pki-cmp-session-abc] cmp request authentication-cert abc_ir.cer [~HUAWEI-pki-domain-abc-pki-cmp-session-abc] certificate auto-update enable