240
Certificate import and export configuration example
Network requirements
As shown in Figure 77, Device B will replace Device A in the network. The PKI domain exportdomain on
Device A has two local certificates containing the private key and one CA certificate. To make sure the
certificates are still valid after Device B replaces Device A, copy the certificates on Device A to Device B
and follow these guidelines:
• Encrypt the private key in the local certificates using 3DES_CBC with the password 111111 when you
export the local certificates from Device A.
• Save the certificates on Device A in PEM format to the PKI domain importdomain on Device B.
Figure 77 Network diagram
Configuration procedure
1. Export the certificate on Device A to specified files:
# Export the CA certificate to a .pem file.
<DeviceA> system-view
[DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem
# Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to
encrypt the private key with the password 111111.
[DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename
pkilocal.pem
After the previous operations, the system generates three certificate files in PEM format: a CA
certificate file and two local certificate files. The CA certificate file is named pkicachain.pem. The
two local certificate files are named pkilocal.pem-signature and pkilocal.pem-encryption, and
contain the private key for signature and encryption, respectively.
# Display the local certificate file pkilocal.pem-signature.
[DeviceA] quit
<DeviceA> more pkicachain.pem-sign
Bag Attributes
friendlyName:
localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subsign 11
issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgILAJgsebpejZc5UwAwDQYJKoZIhvcNAQELBQAwZjELMAkG
…
To Next Page
Loading...
Need help?
General