certificate domain

Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.

Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.

Syntax

certificate domain domain-name [ sign | verify ]

undo certificate domain domain-name

Default

PKI domains configured in system view are used for signature authentication.

Views

IKEv2 profile view

Predefined user roles

network-admin

mdc-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.

sign: Uses the local certificate in the PKI domain to generate a signature.

verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.

Usage guidelines

If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times. If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.

If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view
[Sysname] ikev2 profile profile1

# Specify PKI domain abc for signature. Specify PKI domain def for verification.

[Sysname-ikev2-profile-profile1] certificate domain abc sign
[Sysname-ikev2-profile-profile1] certificate domain def verify

Related commands

authentication-method

pki domain