specify the fingerprint in the PKI domain but the CA certificate to be imported or the obtained CA
certificate contains a CA root certificate that is not stored locally, the device uses the specified fingerprint
in the PKI domain for verification and requires you to confirm the fingerprint. If you specify a wrong
fingerprint, you cannot import or obtain the CA certificate.
Examples
# Set an MD5 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint md5
12EF53FA355CD23E12EF53FA355CD23E
# Set an SHA1 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
• certificate request mode
• pki import
• pki retrieve-certificate
rule
Use rule to create a rule (or statement).
Use undo rule to remove a statement.
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No statement exists.
Views
PKI certificate access control policy view
Predefined user roles
network-admin
Parameters
id: Assigns a number to the statement, in the range of 1 to 16. The default setting is the smallest unused
number in this range. Rules in a policy are sorted in ascending order and a rule with a smaller number
is compared first.
deny: Denies the certificates that match the associated certificate group.
223
To Next Page
Loading...
Need help?
General
