Example: Importing and exporting certificates

Network configuration

As shown in Figure 109, Device B will replace Device A in the network. PKI domain exportdomain on Device A has two local certificates containing the private key and one CA certificate. To make sure the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to Device B as follows:

  1. Export the certificates in PKI domain exportdomain on Device A to .pem certificate files.

    During the export, encrypt the private key in the local certificates using 3DES_CBC with the password 11111.

  2. Transfer the certificate files from Device A to Device B through the FTP host.

  3. Import the certificate files to PKI domain importdomain on Device B.

Figure 109: Network diagram

Procedure

  1. Export the certificates on Device A:

    # Export the CA certificate to a .pem file.

    <DeviceA> system-view
    [DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem
    

    # Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC to encrypt the private key with the password 111111.

    [DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename pkilocal.pem
    

    Now, Device A has three certificate files in PEM format:

    • A CA certificate file named pkicachain.pem.

    • A local certificate file named pkilocal.pem-signature, which contains the private key for signature.

    • A local certificate file named pkilocal.pem-encryption, which contains the private key for encryption.

    # Display local certificate file pkilocal.pem-signature.

    [DeviceA] quit
    <DeviceA> more pkicachain.pem-sign
    Bag Attributes
        friendlyName:
        localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
    subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subsign 11
    issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
    -----BEGIN CERTIFICATE-----
    MIIEgjCCA2qgAwIBAgILAJgsebpejZc5UwAwDQYJKoZIhvcNAQELBQAwZjELMAkG
    …
    -----END CERTIFICATE-----
    Bag Attributes
        friendlyName:
        localKeyID: 90 C6 DC 1D 20 49 4F 24 70 F5 17 17 20 2B 9E AC 20 F3 99 89
    Key Attributes: <No Attributes>
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZtjSjfslJCoCAggA
    …
    -----END ENCRYPTED PRIVATE KEY-----
    

    # Display local certificate file pkilocal.pem-encryption.

    <DeviceA> more pkicachain.pem-encr
    Bag Attributes
        friendlyName:
        localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8
    subject=/C=CN/O=OpenCA Labs/OU=Users/CN=subencr 11
    issuer=/C=CN/L=shangdi/ST=pukras/O=OpenCA Labs/OU=docm/CN=subca1
    -----BEGIN CERTIFICATE-----
    MIIEUDCCAzigAwIBAgIKCHxnAVyzWhIPLzANBgkqhkiG9w0BAQsFADBmMQswCQYD
    …
    -----END CERTIFICATE-----
    Bag Attributes
        friendlyName:
        localKeyID: D5 DF 29 28 C8 B9 D9 49 6C B5 44 4B C2 BC 66 75 FE D6 6C C8
    Key Attributes: <No Attributes>
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7H0mb4O7/GACAggA
    …
    -----END ENCRYPTED PRIVATE KEY-----
    
  2. Download certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from Device A to the host through FTP. (Details not shown.)

  3. Upload certificate files pkicachain.pem, pkilocal.pem-sign, and pkilocal.pem-encr from the host to Device B through FTP. (Details not shown.)

  4. Import the certificate files to Device B:

    # Disable CRL checking. (You can configure CRL checking as required. This example assumes CRL checking is not required.)

    <DeviceB> system-view
    [DeviceB] pki domain importdomain
    [DeviceB-pki-domain-importdomain] undo crl check enable
    

    # Specify RSA key pair sign for signature and RSA key pair encr for encryption.

    [DeviceB-pki-domain-importdomain] public-key rsa signature name sign encryption name encr
    [DeviceB-pki-domain-importdomain] quit
    

    # Import CA certificate file pkicachain.pem in PEM format to the PKI domain.

    [DeviceB] pki import domain importdomain pem ca filename pkicachain.pem
    

    # Import local certificate file pkilocal.pem-signature in PEM format to the PKI domain. The certificate file contains a key pair.

    [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-signature
    Please input the password:******
    

    # Import local certificate file pkilocal.pem-encryption in PEM format to the PKI domain. The certificate file contains a key pair.

    [DeviceB] pki import domain importdomain pem local filename pkilocal.pem-encryption
    Please input the password:******
    

    # Display the imported local certificate information on Device B.

    [DeviceB] display pki certificate domain importdomain local
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                98:2c:79:ba:5e:8d:97:39:53:00
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1
            Validity
                Not Before: May 26 05:56:49 2011 GMT
                Not After : Nov 22 05:56:49 2012 GMT
            Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subsign 11
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (1024 bit)
                    Modulus:
                        00:9f:6e:2f:f6:cb:3d:08:19:9a:4a:ac:b4:ac:63:
                        ce:8d:6a:4c:3a:30:19:3c:14:ff:a9:50:04:f5:00:
                        ee:a3:aa:03:cb:b3:49:c4:f8:ae:55:ee:43:93:69:
                        6c:bf:0d:8c:f4:4e:ca:69:e5:3f:37:5c:83:ea:83:
                        ad:16:b8:99:37:cb:86:10:6b:a0:4d:03:95:06:42:
                        ef:ef:0d:4e:53:08:0a:c9:29:dd:94:28:02:6e:e2:
                        9b:87:c1:38:2d:a4:90:a2:13:5f:a4:e3:24:d3:2c:
                        bf:98:db:a7:c2:36:e2:86:90:55:c7:8c:c5:ea:12:
                        01:31:69:bf:e3:91:71:ec:21
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Cert Type:
                    SSL Client, S/MIME
                X509v3 Key Usage:
                    Digital Signature, Non Repudiation
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin
                Netscape Comment:
                    User Certificate of OpenCA Labs
                X509v3 Subject Key Identifier:
                    AA:45:54:29:5A:50:2B:89:AB:06:E5:BD:0D:07:8C:D9:79:35:B1:F5
                X509v3 Authority Key Identifier:
                    keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD
    
                X509v3 Subject Alternative Name:
                    email:subsign@docm.com
                X509v3 Issuer Alternative Name:
                    DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1
                Authority Information Access:
                    CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt
                    OCSP - URI:http://titan:2560/
                    1.3.6.1.5.5.7.48.12 - URI:http://titan:830/
    
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://192.168.40.130/pki/pub/crl/cacrl.crl
    
        Signature Algorithm: sha256WithRSAEncryption
            18:e7:39:9a:ad:84:64:7b:a3:85:62:49:e5:c9:12:56:a6:d2:
            46:91:53:8e:84:ba:4a:0a:6f:28:b9:43:bc:e7:b0:ca:9e:d4:
            1f:d2:6f:48:c4:b9:ba:c5:69:4d:90:f3:15:c4:4e:4b:1e:ef:
            2b:1b:2d:cb:47:1e:60:a9:0f:81:dc:f2:65:6b:5f:7a:e2:36:
            29:5d:d4:52:32:ef:87:50:7c:9f:30:4a:83:de:98:8b:6a:c9:
            3e:9d:54:ee:61:a4:26:f3:9a:40:8f:a6:6b:2b:06:53:df:b6:
            5f:67:5e:34:c8:c3:b5:9b:30:ee:01:b5:a9:51:f9:b1:29:37:
            02:1a:05:02:e7:cc:1c:fe:73:d3:3e:fa:7e:91:63:da:1d:f1:
            db:28:6b:6c:94:84:ad:fc:63:1b:ba:53:af:b3:5d:eb:08:b3:
            5b:d7:22:3a:86:c3:97:ef:ac:25:eb:4a:60:f8:2b:a3:3b:da:
            5d:6f:a5:cf:cb:5a:0b:c5:2b:45:b7:3e:6e:39:e9:d9:66:6d:
            ef:d3:a0:f6:2a:2d:86:a3:01:c4:94:09:c0:99:ce:22:19:84:
            2b:f0:db:3e:1e:18:fb:df:56:cb:6f:a2:56:35:0d:39:94:34:
            6d:19:1d:46:d7:bf:1a:86:22:78:87:3e:67:fe:4b:ed:37:3d:
            d6:0a:1c:0b
    
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                08:7c:67:01:5c:b3:5a:12:0f:2f
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=CN, L=shangdi, ST=pukras, O=OpenCA Labs, OU=docm, CN=subca1
            Validity
                Not Before: May 26 05:58:26 2011 GMT
                Not After : Nov 22 05:58:26 2012 GMT
            Subject: C=CN, O=OpenCA Labs, OU=Users, CN=subencr 11
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (1024 bit)
                    Modulus:
                        00:db:26:13:d3:d1:a4:af:11:f3:6d:37:cf:d0:d4:
                        48:50:4e:0f:7d:54:76:ed:50:28:c6:71:d4:48:ae:
                        4d:e7:3d:23:78:70:63:18:33:f6:94:98:aa:fa:f6:
                        62:ed:8a:50:c6:fd:2e:f4:20:0c:14:f7:54:88:36:
                        2f:e6:e2:88:3f:c2:88:1d:bf:8d:9f:45:6c:5a:f5:
                        94:71:f3:10:e9:ec:81:00:28:60:a9:02:bb:35:8b:
                        bf:85:75:6f:24:ab:26:de:47:6c:ba:1d:ee:0d:35:
                        75:58:10:e5:e8:55:d1:43:ae:85:f8:ff:75:81:03:
                        8c:2e:00:d1:e9:a4:5b:18:39
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Cert Type:
                    SSL Server
                X509v3 Key Usage:
                    Key Encipherment, Data Encipherment
                Netscape Comment:
                    VPN Server of OpenCA Labs
                X509v3 Subject Key Identifier:
                    CC:96:03:2F:FC:74:74:45:61:38:1F:48:C0:E8:AA:18:24:F0:2B:AB
                X509v3 Authority Key Identifier:
                    keyid:70:54:40:61:71:31:02:06:8C:62:11:0A:CC:A5:DB:0E:7E:74:DE:DD
    
                X509v3 Subject Alternative Name:
                    email:subencr@docm.com
                X509v3 Issuer Alternative Name:
                    DNS:subca1@docm.com, DNS:, IP Address:1.1.2.2, IP Address:2.2.1.1
                Authority Information Access:
                    CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt
                    OCSP - URI:http://titan:2560/
                    1.3.6.1.5.5.7.48.12 - URI:http://titan:830/
    
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://192.168.40.130/pki/pub/crl/cacrl.crl
    
        Signature Algorithm: sha256WithRSAEncryption
            53:69:66:5f:93:f0:2f:8c:54:24:8f:a2:f2:f1:29:fa:15:16:
            90:71:e2:98:e3:5c:c6:e3:d4:5f:7a:f6:a9:4f:a2:7f:ca:af:
            c4:c8:c7:2c:c0:51:0a:45:d4:56:e2:81:30:41:be:9f:67:a1:
            23:a6:09:50:99:a1:40:5f:44:6f:be:ff:00:67:9d:64:98:fb:
            72:77:9e:fd:f2:4c:3a:b2:43:d8:50:5c:48:08:e7:77:df:fb:
            25:9f:4a:ea:de:37:1e:fb:bc:42:12:0a:98:11:f2:d9:5b:60:
            bc:59:72:04:48:59:cc:50:39:a5:40:12:ff:9d:d0:69:3a:5e:
            3a:09:5a:79:e0:54:67:a0:32:df:bf:72:a0:74:63:f9:05:6f:
            5e:28:d2:e8:65:49:e6:c7:b5:48:7d:95:47:46:c1:61:5a:29:
            90:65:45:4a:88:96:e4:88:bd:59:25:44:3f:61:c6:b1:08:5b:
            86:d2:4f:61:4c:20:38:1c:f4:a1:0b:ea:65:87:7d:1c:22:be:
            b6:17:17:8a:5a:0f:35:4c:b8:b3:73:03:03:63:b1:fc:c4:f5:
            e9:6e:7c:11:e8:17:5a:fb:39:e7:33:93:5b:2b:54:72:57:72:
            5e:78:d6:97:ef:b8:d8:6d:0c:05:28:ea:81:3a:06:a0:2e:c3:
            79:05:cd:c3
    

To display detailed information about the CA certificate, use the display pki certificate domain command.