Troubleshooting PKI
Failed to Retrieve a CA
Certificate
2 Configure the certificate attribute-based access control policy
# Create the certificate attribute-based access control policy of myacp and add
two access control rules.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 deny mygroup1
[Switch-pki-cert-acp-myacp] rule 2 permit mygroup2
[Switch-pki-cert-acp-myacp] quit
3 Apply the SSL server policy and certificate attribute-based access control policy to
HTTPS service and enable HTTPS service.
# Apply SSL server policy myssl to HTTPS service.
[Switch] ip https ssl-server-policy myssl
# Apply the certificate attribute-based access control policy of myacp to HTTPS
service.
[Switch] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Switch] ip https enable
Symptom
Failed to retrieve a CA certificate.
Analysis
Possible reasons include these:
The network connection is not proper. For example, the network cable may be
■
damaged or loose.
No trusted CA is specified.
■
The URL of the enrollment server for certificate request is not correct or not
■
configured.
No RA is specified.
■
The system clock of the device is not synchronized with that of the CA.
■
Solution
Make sure that the network connection is physically proper.
■
Check that the required commands are configured properly.
■
Use the ping command to check that the RA server is reachable.
■
Configures the RA for certificate request.
■
Synchronize the system clock of the device with that of the CA.
■
Troubleshooting PKI
1235