root-certificate fingerprint
Use root-certificate fingerprint to set the fingerprint for verifying the root CA certificate.
Use undo root-certificate fingerprint to restore the default.
Syntax
In non-FIPS mode:
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
In FIPS mode:
root-certificate fingerprint sha1 string
undo root-certificate fingerprint
Default
No fingerprint is set for verifying the root CA certificate.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
md5: Sets an MD5 fingerprint.
sha1: Sets an SHA1 fingerprint.
string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters.
Usage guidelines
If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate, you must configure the fingerprint for root CA certificate verification. When an application (for example, IKE) triggers the device to request local certificates, the device automatically performs the following operations:
Obtains the CA certificate from the CA server.
Compares the fingerprint contained in the root CA certificate with the fingerprint configured in the PKI domain, if either of the following conditions exists:
The obtained CA certificate is a root certificate.
The obtained CA certificate is a certificate chain and contains a root certificate that does not exist on the device.
If the two fingerprints do not match, or if no fingerprint is configured in the PKI domain, the device rejects the CA certificate and the local certificate request fails.
The fingerprint configured by this command is also used for root CA certificate verification when the device performs the following operations:
Imports the CA certificate as requested by the pki import command.
Obtains the CA certificate as requested by the pki retrieve-certificate command.
The device compares the fingerprint contained in the root CA certificate with the fingerprint configured in the PKI domain, if either of the following conditions exists:
The CA certificate to be imported or obtained is a root certificate that does not exist on the device.
The CA certificate to be imported or obtained is a certificate chain and contains a root certificate that does not exist on the device.
If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is configured in the PKI domain, the device prompts you to manually verify the fingerprint of the root CA certificate.
Examples
# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only in non-FIPS mode.)
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E
# Specify an SHA1 fingerprint for verifying the root CA certificate.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
certificate request mode
pki import
pki retrieve-certificate