Comware Based
Showing results for 
Search instead for 
Did you mean: 

A5120 https web interface access


A5120 https web interface access

We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

Can you write minimum necessary commands so, we can access web interface safaly in https ?


We see this example configuration:


Very complex only to allow https access to web interface...



Thank you

Honored Contributor

Re: A5120 https web interface access



newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).


To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.


Attached the procedure I had saved at the time. Same text below:


****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp get hpn_ca.cer
tftp get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable

Best regards,Peter.


Re: A5120 https web interface access

Thank you very much. We have updated to new image, so this worked:


[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save


However, we still kept your solution for old firmware. Very useful !


As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...

Regular Advisor

Re: A5120 https web interface access

But new firmware works only with its own certificate which just looks plain ugly!

And I so far could not find an easy way to import certificate (wildcard) or request certificate from AD CA