Format
pki import-certificate { ca | local } [ [ realm realm-name ] { der | pkcs12 | pem } ] filename filename [ no-check-validate ] [ no-check-hash-alg ]
pki import-certificate ocsp [ realm realm-name ] { der | pkcs12 | pem } filename filename
Parameters
Parameter |
Description |
Value |
|---|---|---|
ca |
Imports a CA certificate. For example, when the device works as an SSL proxy, import the SSL proxy CA certificate and use the private key in the certificate to sign the SSL client certificate again. |
- |
local |
Imports a local certificate. |
- |
realm realm-name |
Specifies the PKI realm name of the imported certificate. |
The PKI realm name must already exist. NOTE:
The domain name cannot contain spaces. Otherwise, the certificate cannot be imported. |
der |
Imports a certificate in DER format. |
- |
pkcs12 |
Imports a certificate in PKCS12 format. |
- |
pem |
Imports a certificate in PEM format. |
- |
| filename filename | Specifies the name of the imported certificate. | The file name must already exist. |
| no-check-validate | Specifies whether the validity check is performed on the imported certificate. |
- |
| no-check-hash-alg | Specifies whether a check is performed on the hash algorithm used for the signature of the imported certificate. |
- |
ocsp |
Imports the Online Certificate Status Protocol (OCSP) server's certificate. |
- |
Usage Guidelines
Usage Scenario
After a certificate is saved to the storage, run this command to import the certificate to the memory for it to take effect.
Multiple certificates can be imported on the device, including the CA certificate, local certificate, and private key.
NOTE: If you do not know the format of the certificate you want to import, configure each format in turn and check whether the certificate is successfully imported. When you attempt to import a CA or local certificate without specifying the format, the system automatically detects the certificate format and imports it.
Prerequisites
The PKI realm has been created using the pki realm (system view) command, and the certificate file already exists on the storage device.
Precautions
By default, the preset CA and local certificates are imported to the default domain. Therefore, other CA or local certificates cannot be imported to the default domain. Otherwise, the preset CA or local certificate will be invalid.
If a certificate file contains a key pair file, the pki import-certificate command imports only the certificate file, but not the key pair file. To import the key pair file, run the pki import rsa-key-pair command after the pki import-certificate command, or run the pki import rsa-key-pair command to import the certificate and key pair files simultaneously.
It is not recommended that multiple local certificates be imported into the same PKI realm. Otherwise, certificate-related services may use the certificates that do not match the services, causing services to become unavailable.
When a certificate in pkcs12 format is imported, the PKI system deletes the file name extension of the original certificate file, adds _localx.cer to generate a new file name, and saves it to the storage component. Therefore, the name of the certificate file to be imported should be less than 50 characters, so the total certificate file name does not exceed 64 characters, and the certificate file cannot be imported to the storage component.
The device supports importing digital certificates generated through RSA encryption algorithm and SM2 key hash algorithm.
<sysname> cd pki <sysname> cd public/