421
Usage guidelines
Use this command to import a certificate in the following situations:
•
The CRL repository is not specified or the CA server does not support SCEP.
•
The certificate is packed with the server generated key pair in a single file. Only certificate files
in PKCS12 or PEM format can contain key pairs.
Before you import certificates, complete the following tasks:
•
Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or
TFTP is not available, display and copy the contents of a certificate to a file on the device. Make
sure the certificate is in PEM format because only certificates in PEM format can be imported by
this means.
•
For the local certificates or peer certificates to be imported, the correct CA certificate chain must
exist. The CA certificate chain can be stored on the device, or carried in the local certificates or
peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the
CA certificate chain, you must import the CA certificate first. To import a local or peer certificate,
a CA certificate chain must exist in the PKI domain, or be carried in the local or peer certificate.
If not, obtain it first.
When you import the local or peer certificates:
•
If the local or peer certificates contain the CA certificate chain, you can import the CA certificate
and the local or peer certificates at the same time. If the CA certificate already exists in a PKI
domain, the system prompts you whether to overwrite the existing CA certificate.
•
If the local or peer certificates do not contain the CA certificate chain, but the CA certificate
already exists in a PKI domain, you can directly import the certificates.
You can import the CA certificate to a PKI domain when either of the following conditions is met:
•
The CA certificate to be imported is the root CA certificate or contains the certificate chain with
the root certificate.
•
The CA certificate contains a certificate chain without the root certificate, but can form a
complete certificate chain with an existing CA certificate on the device.
Contact the CA administrator to get information as prompted in the following scenarios:
•
The system prompts you to confirm the certificate's fingerprint in the following situation:
The certificate file to be imported contains the root certificate, but the root certificate does
not exist in any PKI domains on the device.
The
root-certificate fingerprint
command is not configured in the PKI domain to which the
certificate file is to be imported.
•
The system prompts you to enter the challenge password used for encrypting the private key if
the local certificate to be imported contains a key pair.
When you import a local certificate file that contains a key pair, you can choose to update the domain
with the key pair. Depending on the purpose of the key pair, the following conditions might apply:
•
If the purpose of the key pair is general, the device uses the key pair to replace the local key pair
that is found in this order:
a.
General-purpose key pair.
b.
Signature key pair.
c.
Encryption key pair.
•
If the purpose of the key pair is signature, the device uses the key pair to replace the local key
pair that is found in this order:
d.
General-purpose key pair.
e.
Signature key pair.
•
If the purpose of the key pair is encryption, the device searches the domain for an encryption
key pair.