Configuration Guidelines; Configuration Procedure; Verifying Pki Certificates - HP FlexFabric 5700 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 5700 Series:
- Configuration manual (185 pages) ,
- Configuration manual (125 pages) ,
- Configuration manual (132 pages)
Table of Contents
Advertisement
Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not
•
available, display and copy the contents of a certificate to a file on the device. Make sure the
certificate is in PEM format because only certificates in PEM format can be imported.
•
To import a certificate, a CA certificate chain must exist in the PKI domain, or be contained in the
certificate. If the CA certificate chain is not available, obtain it before importing the certificate.
Configuration guidelines
To import a local certificate containing an encrypted key pair, you must provide the challenge
•
password. Contact the CA administrator to obtain the password.
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
•
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate and
local certificates first.
•
If local or peer certificates already exist, you can obtain new local or peer certificates to overwrite
the existing ones. If RSA is used, a PKI domain can have two local certificates, one for signature and
the other for encryption.
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
•
obtained has been revoked, the certificate cannot be obtained.
The device compares the validity period of a certificate with the local system time to determine
•
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA
server.
Configuration procedure
To obtain certificates:
Step
1.
Enter system view.
2.
Obtain certificates.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested or
obtained.
Command
system-view
•
Import certificates in offline mode:
pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local
filename filename | pem { ca | local | peer }
[ filename filename ] }
•
Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
225
Remarks
N/A
The pki
retrieve-certificate
command is not saved
in the configuration
file.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
