614[Sysname-ikev2-profile-profile1] keychain keychain1Related commandsdisplay ikev2 profilecertificate domain (ikev2 profile view)keychain (ikev2 profile view)certificate domainUse certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2negotiation.Syntaxcertificate domain domain-name [ sign | verify ]undo certificate domain domain-nameDefaultPKI domains configured in system view are used.ViewsIKEv2 profile viewPredefined user rolesnetwork-adminParametersdomain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.sign: Uses the local certificate in the PKI domain to generate a signature.verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.Usage guidelinesIf you do not specify the sign or verify keyword, the PKI domain is used for both purposes. You canspecify a PKI domain for each purpose by executing this command multiple times. If you specify thesame PKI domain for both purposes, the later configuration takes effect. For example, if you executecertificate domain abc sign and certificate domain abc verify successively, the PKI domain abcwill be used only for verification.If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domainfor signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, youmust specify a PKI domain for verifying the remote end's certificate. If you do not specify PKIdomains, the PKI domains configured in system view will be used.Examples# Create an IKEv2 profile named profile1. system-view[Sysname] ikev2 profile profile1# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.[Sysname-ikev2-profile-profile1] certificate domain abc sign[Sysname-ikev2-profile-profile1] certificate domain def verifyRelated commandsauthentication-method