HPE FlexNetwork 10500 Series Security Configuration Manual page 337

the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to
Device B as follows:
1. Export the certificates in PKI domain exportdomain on Device A to .pem certificate files.
During the export, encrypt the private key in the local certificates using 3DES_CBC with the
password 11111.
2. Transfer the certificate files from Device A to Device B through the FTP host.
3. Import the certificate files to PKI domain importdomain on Device B.
Figure 91 Network diagram
Host
Host
Configuration procedure
1. Export the certificates on Device A:
# Export the CA certificate to a .pem file.
<DeviceA> system-view
[DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem
# Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC
to encrypt the private key with the password 111111.
[DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename
pkilocal.pem
Now, Device A has three certificate files in PEM format:
A CA certificate file named pkicachain.pem.

A local certificate file named pkilocal.pem-signature, which contains the private key for

signature.
A local certificate file named pkilocal.pem-encryption, which contains the private key for

encryption.
# Display the local certificate file pkilocal.pem-signature.
[DeviceA] quit
<DeviceA> more pkicachain.pem-sign
Bag Attributes
friendlyName:
localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subsign 11
issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgILAJgsebpejZc5UwAwDQYJKoZIhvcNAQELBQAwZjELMAkG
...
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
Device A
1) Export
Device B
2) Import
IP network
IP network
320