Comware Based
Showing results for 
Search instead for 
Did you mean: 

SSL certificate config on Comware v7

Regular Advisor

SSL certificate config on Comware v7

Looking here it shold be easy:

I do NOT want to use the default generated certificate for https!

So I follow the instructions & eventually request vertificate, but get error:

[HPE5900-SR1]pki request-certificate domain **********
Certificate request failed: No key pair specified for the PKI domain.

Anybody has instructions that will work?


Regular Advisor

Re: SSL certificate config on Comware v7

I have a case opened with

GSD_GSC_Case_Mgmt_Prod <>

for the second week, with no solution.

Managed to get certificate issued by local MS ADCA, but that was Network Device Enrollment Service (NDES) certificate which DOES NOT work for HTTPS.

What was required:

public-key rsa general name xxx length 2048

pki request-certificate domain "domain-name" password "password"

(where password is generated by ADCA http://localhost/certsrv/mscep_admin as per )

Still could not get proper answer how to request proper SSL web server certificate OR how to import wildcard certificate issued by external CA

Horrendous experience! Horrible support (in UK Level 2) that has NO TEST environment!

Shame on you HPE!

Regular Advisor

Re: SSL certificate config on Comware v7

Eventually had BUG confirmed for BOTH issues by HPE support.

So maybe in next release...

Regular Advisor

Re: SSL certificate config on Comware v7

OK, let me now recap what needs to be done for this to work.

A plain blank never used SCEP/NDES server will do just fine.

 But one needs to assume that customer might use such server for something else.

 Which was the case in my setup. I use SCEP server to request certificate by Apple iDevices (iPad/iPhone) for wireless network access, using custome template which does NOT have Server Authentication configured

 Hence the settings on my SCEP server were for the very purpose & created certificate did not work

 To make sure that certificate obtained from SCEP server is good for SSL  one needs to configure correct template in


 Preferably one that has Server Authentication configured

 Good read is here:


One that was configured in that way, then simple set of commands did get certificate


pki domain domainA1

ca identifier NameOfCA

certificate request url http://EnterpriseCA.domainA1.local/certsrv/mscep/mscep.dll

certificate request from ra

certificate request entity hpe5900-sr1

crl url http://EnterpriseCA.domainA1.local/CertEnroll/whatever_is_configured.crl


pki entity hpe5900

common-name HPE5900.domainA1.local

country GB


ssl server-policy domainA1-ssl

pki-domain domainA1


undo ip https enable

 [HPE5900-pki-domain-domainA1]public-key rsa general name BG length 2048


 pki retrieve-certificate domain doaminA1 ca

 pki request-certificate domain doaminA1 password 2A792FF083164D59 (password as obtained from CA http://ndes_server/certsrv/mscep_admin)

 ip https ssl-server-policy domainA1-ssl

 ip https enable