Honored Contributor
Re: A5120 https web interface access
[ Edited ]

Hi,

 

newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).

 

To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.

 

Attached the procedure I had saved at the time. Same text below:

 

****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (peter.debruyne@belpro.be)
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp 82.1.1.3 get hpn_ca.cer
tftp 82.1.1.3 get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C
 quit

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
 
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
password
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable


Best regards,Peter.