503Usage guidelinesIf you set the certificate request mode to auto for a PKI domain that does not have a CA certificate,you must configure the fingerprint for CA certificate verification. When an application, like IKE,triggers the device to request local certificates, the device automatically performs the followingoperations:1. Obtains the CA certificate from the CA server.2. Verifies the fingerprint contained in the CA certificate with the one configured in the PKI domain.If the two fingerprints do not match, or no fingerprint is configured in the PKI domain, the devicerejects the CA certificate and the local certificate request fails.The fingerprint configured by this command is also used for CA certificate verification when thedevice performs the following operations:• Imports the CA certificate as requested by the pki import command.• Obtains the CA certificate as requested by the pki retrieve-certificate command.The device automatically verifies the fingerprint of the CA certificate to be imported or obtainedagainst that configured in the PKI domain. If the two fingerprints do not match, the device rejects theCA certificate. If no fingerprint is configured in the PKI domain, the device prompts you to manuallyverify the fingerprint of the CA certificate to be imported or obtained.Examples# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only innon-FIPS mode.) system-view[Sysname] pki domain aaa[Sysname-pki-domain-aaa] root-certificate fingerprint md512EF53FA355CD23E12EF53FA355CD23E# Specify an SHA1 fingerprint for verifying the root CA certificate. system-view[Sysname] pki domain aaa[Sysname-pki-domain-aaa] root-certificate fingerprint sha1D1526110AAD7527FB093ED7FC037B0B3CDDDAD93Related commandscertificate request modepki importpki retrieve-certificateruleUse rule to create an access control rule.Use undo rule to remove an access control rule.Syntaxrule [ id ] { deny | permit } group-nameundo rule idDefaultNo access control rules exist.ViewsCertificate-based access control policy view