Email Subscription Notifications Suspended Temporarily
We are in the process of making navigation in the Servers and Operating Systems forums simpler and more direct. While doing this, we have to temporarily suspend email notifications for subscriptions. If you are subscribed to one or more discussion boards or blogs in the community, please check them daily to see new content. Notifications will be turned back on in a few days. We apologize for any inconvenience this may cause. Thanks, Warren_Admin
Showing results for 
Search instead for 
Did you mean: 

A5120 https web interface access


A5120 https web interface access

We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

Can you write minimum necessary commands so, we can access web interface safaly in https ?


We see this example configuration:


Very complex only to allow https access to web interface...



Thank you

Honored Contributor

Re: A5120 https web interface access



newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).


To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.


Attached the procedure I had saved at the time. Same text below:


****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp get hpn_ca.cer
tftp get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable

Best regards,Peter.


Re: A5120 https web interface access

Thank you very much. We have updated to new image, so this worked:


[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save


However, we still kept your solution for old firmware. Very useful !


As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...

Frequent Advisor

Re: A5120 https web interface access

But new firmware works only with its own certificate which just looks plain ugly!

And I so far could not find an easy way to import certificate (wildcard) or request certificate from AD CA