435
undo root-certificate fingerprint
Default
No fingerprint is set for verifying the root CA certificate.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
md5
: Sets an MD5 fingerprint.
sha1
: Sets an SHA1 fingerprint.
string
: Sets the fingerprint in hexadecimal notation. If you specify the
MD5
keyword, the fingerprint is
a string of 32 characters. If you specify the
SHA1
keyword, the fingerprint is a string of 40 characters.
Usage guidelines
If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate,
you must configure the fingerprint for root CA certificate verification. When an application triggers the
device to request local certificates, the device automatically performs the following operations:
1.
Obtains the CA certificate from the CA server.
2.
Compares the fingerprint contained in the root CA certificate with the fingerprint configured in
the PKI domain, if either of the following conditions exists:
The obtained CA certificate is a root certificate.
The obtained CA certificate is a certificate chain and contains a root certificate that does not
exist on the device.
If the two fingerprints do not match, or if no fingerprint is configured in the PKI domain, the
device rejects the CA certificate and the local certificate request fails.
The fingerprint configured by this command is also used for root CA certificate verification when the
device performs the following operations:
•
Imports the CA certificate as requested by the
pki import
command.
•
Obtains the CA certificate as requested by the
pki retrieve-certificate
command.
The device compares the fingerprint contained in the root CA certificate with the fingerprint
configured in the PKI domain, if either of the following conditions exists:
•
The CA certificate to be imported or obtained is a root certificate that does not exist on the
device.
•
The CA certificate to be imported or obtained is a certificate chain and contains a root certificate
that does not exist on the device.
If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is configured
in the PKI domain, the device prompts you to manually verify the fingerprint of the root CA certificate.
Examples
# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only in
non-FIPS mode.)
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint md5
12EF53FA355CD23E12EF53FA355CD23E
# Specify an SHA1 fingerprint for verifying the root CA certificate.