certificate domain
Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.
Syntax
certificate domain domain-name [ sign | verify ]
undo certificate domain domain-name
Default
PKI domains configured in system view are used for signature authentication.
Views
IKEv2 profile view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
sign: Uses the local certificate in the PKI domain to generate a signature.
verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.
Usage guidelines
If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times. If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view [Sysname] ikev2 profile profile1
# Specify PKI domain abc for signature. Specify PKI domain def for verification.
[Sysname-ikev2-profile-profile1] certificate domain abc sign [Sysname-ikev2-profile-profile1] certificate domain def verify
Related commands
authentication-method
pki domain