Table of Contents
Advertisement
Default
No PKI domains are specified for signature authentication.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name
Usage guidelines
You can specify a maximum of six PKI domains for an IKE profile by executing this command
multiple times.
IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and
signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.
Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE
negotiation:
•
On the initiator:
If the IKE profile has a PKI domain and the automatic certificate request mode is configured
for the PKI domain, the initiator automatically obtains the CA certificate.
If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
•
On the responder:
If main mode is used in IKE phase 1, the responder does not automatically obtain the CA
certificate. You must manually obtain the CA certificate.
If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA
certificate if the following conditions are met:
−
−
−
If the conditions are not met, you must manually obtain the CA certificate.
IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA
certificate already exists locally, IKE automatically requests a local certificate.
Examples
# Specify PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
pki domain
client-authentication
Use
client-authentication
Use
undo client-authentication
: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
A matching IKE profile is found.
An PKI domain is specified in the IKE profile.
The automatic certificate request mode is configured for the PKI domain.
(Security Command Reference)
to enable client authentication.
to disable client authentication.
4
Advertisement
Chapters
Table of Contents
