certificate domain
Use certificate domain to specify a PKI domain for IKE signatures.
Use undo certificate domain to remove the specified PKI domain configuration.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domain is specified for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If no
PKI domain is specified, all PKI domains configured on the device are used for enrollment, authentication,
certificate issuing, validation, and signature.
Usage guidelines
You can specify up to 6 PKI domains for an IKE profile.
IKE can use the PKI domain to automatically obtain the CA certificate, and then request a local certificate.
If the CA certificate exists, the IKE requests a local certificate.
• On the initiator: If the IKE profile has a PKI domain, the initiator automatically obtains the CA
certificate. If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
• On the responder: During the IKE negotiation phase 1,
{ If main mode is used, the responder does not automatically obtain the CA certificate. You must
manually request the CA certificate.
{ If aggressive mode is used, the responder does not automatically obtain the CA certificate
unless a matching IKE profile is found and an IKE domain is specified in the profile.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
• authentication-method
• pki domain
368
To Next Page
Loading...
Need help?
General
