certificate domain
Use certificate domain to specify a PKI domain for signature authentication.
Use undo certificate domain to remove a PKI domain for signature authentication.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domains are specified for signature authentication.
Views
IKE profile view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.
Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE negotiation:
On the initiator:
If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain, the initiator automatically obtains the CA certificate.
If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
On the responder:
If main mode is used in IKE phase 1, the responder does not automatically obtain the CA certificate. You must manually obtain the CA certificate.
If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA certificate if the following conditions are met:
A matching IKE profile is found.
An PKI domain is specified in the IKE profile.
The automatic certificate request mode is configured for the PKI domain.
If the conditions are not met, you must manually obtain the CA certificate.
IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.
Examples
# Specify PKI domain abc for IKE profile 1.
<Sysname> system-view [Sysname] ike profile 1 [Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
pki domain