Common problems and solutions when manually importing SSL certificates
- 0 Followed
- 0Collected ,353Browsed
Network Topology
Networks with high security requirements
Problem Description
When you follow the steps below to import a certificate on a device, the import may fail. For details, see Process Analysis.
# Create PKI domain domain1 and enter PKI domain view.
<AC> system-view
[AC] pki domain domain1
# Disable CRL check.
[AC-pki-domain-domain1] undo crl check enable
[AC-pki-domain-domain1] quit
# Import the CA certificate to PKI domain domain1. The certificate file format is DER encoding and the certificate file name is certnew.cer. The certificate file contains the root certificate.
[AC] pki import domain domain1 der ca filename certnew.cer
The trusted CA's finger print is:
MD5 fingerprint:98D8 2B98 6D35 1DE7 A13A C362 DA33 2F38
SHA1 fingerprint:5817 1C1E D81F 1B5F 525D 5183 C196 37B8 73C7 46E5
Is the finger print correct?(Y/N):y
# Import the local certificate to the PKI domain domain1. The certificate file format is PKCS#12 encoding. The certificate file name is QQ.pfx. The certificate file contains a key pair.
[AC] pki import domain domain1 p12 local filename QQ.pfx
Please input the password:
Process Analysis
Q1: [H3C]pki import-certificate ca domain default pem filename certnew.cer
Certificate verification failed.
Error: CA root certificate is not trusted.
A1: Use display clock to check whether the current system time of the device is not within the validity period of the certificate.
Q2: [H3C]pki import-certificate ca domain default der filename certnew.cer
Certificate file format error, please check it
A2: The certificate format is incorrect. The correct format is: the der parameter matches the certificate suffix .crt, the pem parameter matches the certificate suffix .cer, and the p12 parameter matches the local certificate format .pfx.
Q3: [H3C]pki import-certificate local domain h3c pem filename h3c_local.cer
Neither local device nor import file has a key, can not verify certificate.
A3: Neither the local nor the imported certificate on the device contains key pair information. Use [H3C] public-key local create rsa to create a local key pair, and then re-import the local certificate. Or the imported local certificate and CA certificate do not match, so re-import them.
Q4: [H3C]pki import-certificate local domain default p12 filename server.pfx
Please input challenge password:
Both local device and import file has a key, please choose one of them.
A4: This situation occurs because the local certificate already carries its own key pair information and the device has also saved a local key pair. You can use the rsa local-key-pair destroy command to destroy the local key pair and then re-import the local certificate.
Q5: [H3C]pki import-certificate ca domain h3c der filename h3c_ca.cer
Failed to open certificate file:h3c_ca.cer.
A5: The general reason is that the certificate name is incorrect or the certificate file does not exist.
Q6: [H3C]pki import-certificate local domain h3c p12 filename 2003_local.pfx
Please input challenge password:
Fail to parse pkcs#12 file.
A6: The password is incorrect.
Q7: [H3C]pki import-certificate local domain h3c p12 filename 2003_local.pfx
Please input challenge password:
Fail to verify certificate.
A7: You need to disable crl check in the PKI domain: undo crl check enable, which is enabled by default.
Q8: [H3C]pki import-certificate local domain h3c pem filename h3c_local.cer
No certificate or No certificate matched with hostkey in the file.
A8: Usually there is a problem with the certificate itself. It is recommended to use a new available certificate or modify the encoding format on the CA server and reapply for testing.
Solution
See Process Analysis