HP FlexNetwork MSR Series Command Reference Manual page 468
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
Syntax
In non-FIPS mode:
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
In FIPS mode:
root-certificate fingerprint sha1 string
undo root-certificate fingerprint
Default
No fingerprint is set for verifying the root CA certificate.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
md5: Sets an MD5 fingerprint.
sha1: Sets an SHA1 fingerprint.
string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is
a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters.
Usage guidelines
If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate,
you must configure the fingerprint for CA certificate verification. When an application, like IKE,
triggers the device to request local certificates, the device automatically performs the following
operations:
1.
Obtains the CA certificate from the CA server.
2.
Verifies the fingerprint contained in the CA certificate with the one configured in the PKI domain.
If the two fingerprints do not match, or no fingerprint is configured in the PKI domain, the device
rejects the CA certificate and the local certificate request fails.
The fingerprint configured by this command is also used for CA certificate verification when the
device performs the following operations:
•
Imports the CA certificate as requested by the pki import command.
•
Obtains the CA certificate as requested by the pki retrieve-certificate command.
The device automatically verifies the fingerprint of the CA certificate to be imported or obtained
against that configured in the PKI domain. If the two fingerprints do not match, the device rejects the
CA certificate. If no fingerprint is configured in the PKI domain, the device prompts you to manually
verify the fingerprint of the CA certificate to be imported or obtained.
Examples
# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only in
non-FIPS mode.)
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint md5
12EF53FA355CD23E12EF53FA355CD23E
# Specify an SHA1 fingerprint for verifying the root CA certificate.
<Sysname> system-view
450
Advertisement
