H3C MSR Series Command Reference Manual page 512

•
For the local certificates or peer certificates to be imported, the correct CA certificate chain must
exist. The CA certificate chain can be stored on the device, or carried in the local certificates or
peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the
CA certificate chain, you must import the CA certificate first. To import a local or peer certificate,
a CA certificate chain must exist in the PKI domain, or be carried in the local or peer certificate.
If not, obtain it first.
When you import the local or peer certificates:
•
If the local or peer certificates contain the CA certificate chain, you can import the CA certificate
and the local or peer certificates at the same time. If the CA certificate already exists in a PKI
domain, the system prompts you whether to overwrite the existing CA certificate.
•
If the local or peer certificates do not contain the CA certificate chain, but the CA certificate
already exists in a PKI domain, you can directly import the certificates.
You can import the CA certificate to a PKI domain when either of the following conditions is met:
•
The CA certificate to be imported is the CA root certificate or contains the certificate chain with
the root certificate.
•
The CA certificate contains a certificate chain without the root certificate, but can form a
complete certificate chain with an existing CA certificate on the device.
Contact the CA administrator to get information as prompted in the following scenarios:
•
The system prompts you to confirm the certificate's fingerprint in the following situations:
If the certificate file to be imported contains the root certificate, but the root certificate does

not exist in any PKI domains on the device.
The root-certificate fingerprint command is not configured in the PKI domain to which the

certificate file is to be imported.
•
The system prompts you to enter the challenge password used for encrypting the private key if
the local certificate to be imported contains a key pair.
When you import a local certificate file that contains a key pair, you can choose to update the domain
with the key pair. Depending on the purpose of the key pair, the following conditions might apply:
•
If the purpose of the key pair is general, the device uses the key pair to replace the local key pair
that is found in this order:
a. General-purpose key pair.
b. Signature key pair.
c. Encryption key pair.
•
If the purpose of the key pair is signature, the device uses the key pair to replace the local key
pair that is found in this order:
d. General-purpose key pair.
e. Signature key pair.
•
If the purpose of the key pair is encryption, the device searches the domain for an encryption
key pair.
If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on
the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI
domain name). Then, it generates the key pair according to the key algorithm and the purpose
defined in the certificate file.
The import operation automatically updates or generates the correct key pair. When you perform the
import operation, be sure to save the configuration file to avoid data loss.
Examples
# Import CA certificate file rootca_pem.cer in PEM format to PKI domain aaa. The certificate file
contains the root certificate.
<Sysname> system-view
489