admin commands

The admin commands are used to perform administrative functions, such as displaying configuration that is not subject to AAA, manually saving the configuration, clearing user sessions, and rebooting the system.

admin 
application-assurance 
group reference 
url-list reference 
upgrade 
upgrade 
clear 
security 
lockout 
all 
user string
password-history 
all 
user string
disconnect 
address (ipv4-address-no-zone | ipv6-address-no-zone)
op-table-bypass boolean
session-id number
session-type keyword
username string
nat 
save-deterministic-script 
reboot 
[card] keyword
hold 
now 
redundancy 
force-switchover 
ignore-status 
now 
synchronize 
boot-environment 
certificate 
configuration 
satellite 
ethernet-satellite reference 
reboot 
now 
upgrade 
synchronize 
tech-support 
[url] string
save 
bof 
configure 
debug 
li 
[url] string
set 
time 
[system-time] string
show 
configuration 
bof 
booted 
cflash-id string
[cli-path] string
configure 
debug 
detail 
flat 
full-context 
intended 
json 
li 
running 
units 
xml 
support-mode 
system 
license 
activate 
[file-url] string
now 
validate 
[file-url] string
management-interface 
operations 
delete-operation 
[delete-id] number
op-table-bypass boolean
stop-operation 
op-table-bypass boolean
[stop-id] number
security 
hash-control 
custom-hash 
algorithm keyword
key string
remove-custom-hash 
pki 
clear-ocsp-cache 
[entry-id] number
cmpv2 
cert-request 
ca-profile reference
current-certificate string
current-key string
domain-name string
hash-algorithm keyword
ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
new-key string
save-as string
subject-dn string
clear-request 
ca-profile reference
initial-registration 
ca-profile reference
certificate string
domain-name string
hash-algorithm keyword
ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
key-to-certify string
password string
protection-key string
reference string
save-as string
send-chain 
subject-dn string
with-ca reference
key-update 
ca-profile reference
hash-algorithm keyword
new-key string
old-certificate string
old-key string
save-as string
poll 
ca-profile reference
convert-file 
force 
format keyword
[input-file] string
[output-file] string
crl-update 
ca-profile reference
est 
ca-certificates 
est-profile string
force 
output-url string
enroll 
domain-name string
est-profile string
force 
hash-algorithm keyword
ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
key string
output-file string
subject-dn string
validate-certificate-chain 
renew 
certificate string
est-profile string
force 
hash-algorithm keyword
key string
output-file string
validate-certificate-chain 
export 
format keyword
input-file string
key-file string
output-url string
password string
type keyword
generate-csr 
domain-name string
hash-algorithm keyword
ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
key-url string
output-url string
subject-dn string
use-printable 
generate-keypair 
dsa-key-size number
ecdsa-curve keyword
rsa-key-size number
[save-path] string
import 
format keyword
input-url string
output-file string
password string
type keyword
validate-certificate-chain 
reload 
application keyword
certificate string
key string
show 
file-content 
[file-path] string
format keyword
password string
type keyword
update-certificate 
certificate reference
system-password 
admin-password 
telemetry 
grpc 
cancel 
all 
subscription-id number
tech-support 
[url] string

admin command descriptions

admin

Synopsis Enter the administrative context for system operations
Contextadmin
Treeadmin
Introduced16.0.R1

Platforms

All

application-assurance

Synopsis Enter the application-assurance context
Contextadmin application-assurance
Treeapplication-assurance

Description

Commands in this context configure Application Assurance (AA) upgrade and AA group upgrade operations.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

group [aa-group-id] reference
Synopsis Enter the group list instance
Context admin application-assurance group reference
Treegroup

Description

Commands in this context configure the attributes of the group-specific upgrade.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[aa-group-id] reference
Synopsis AA group ID
Contextadmin application-assurance group reference
Treegroup

Reference

state application-assurance group number

Notes

This element is part of a list key.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

url-list [url-list-name] reference
Synopsis Enter the url-list list instance
Contextadmin application-assurance group reference url-list reference
Treeurl-list

Description

Commands in this context configure the URL list upgrade parameters.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

[url-list-name] reference
Synopsis AA URL list name
Context admin application-assurance group reference url-list reference
Treeurl-list

Reference

state application-assurance group number url-list string

Notes

This element is part of a list key.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

upgrade
Synopsis Upgrade to a new isa-aa.tim file
Context admin application-assurance upgrade
Treeupgrade

Description

This command loads a new isa-aa.tim file as part of a router-independent signature upgrade. An AA ISA reboot is required for the upgrade to take effect.

Introduced21.10.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-e, 7750 SR-s, VSR

clear

Synopsis Enter the clear context
Context admin clear
Treeclear
Introduced19.10.R1

Platforms

All

security
Synopsis Enter the security context
Context admin clear security
Treesecurity
Introduced19.10.R1

Platforms

All

lockout
Synopsis Reset the lockout timer
Context admin clear security lockout
Treelockout
Introduced19.10.R1

Platforms

All

all
Synopsis Clear lockout of all users
Context admin clear security lockout all
Treeall

Notes

The following elements are part of a mandatory choice: all or user.

Introduced19.10.R1

Platforms

All

user string
Synopsis User to be cleared of lockout
Context admin clear security lockout user string
Treeuser
String Length1 to 32

Notes

The following elements are part of a mandatory choice: all or user.

Introduced19.10.R1

Platforms

All

password-history
Synopsis Clear the password history
Context admin clear security password-history
Treepassword-history
Introduced19.10.R1

Platforms

All

all
Synopsis Clear password history of all users
Context admin clear security password-history all
Treeall

Notes

The following elements are part of a mandatory choice: all or user.

Introduced19.10.R1

Platforms

All

user string
Synopsis User to be cleared of password history information
Contextadmin clear security password-history user string
Treeuser
String Length1 to 32

Notes

The following elements are part of a mandatory choice: all or user.

Introduced19.10.R1

Platforms

All

disconnect

Synopsis Disconnect a user session
Context admin disconnect
Treedisconnect
Introduced16.0.R1

Platforms

All

address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address of the session to disconnect
Contextadmin disconnect address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeaddress
Introduced19.10.R1

Platforms

All

op-table-bypass boolean
Synopsis Avoid operation ID allocation
Context admin disconnect op-table-bypass boolean
Treeop-table-bypass

Description

When configured to true, the system bypasses the YANG-based operations infrastructure and avoids the allocation of an operation ID. This is useful if the global operations table is full and a delete operation or admin disconnect is required.

Introduced21.5.R1

Platforms

All

session-type keyword
Synopsis Type of session to disconnect
Context admin disconnect session-type keyword
Treesession-type
Optionsconsole, bluetooth, telnet, ssh, ftp, netconf, grpc, cron-ehs
Introduced 19.10.R1

Platforms

All

reboot

Synopsis Reboot CPM or force an upgrade of system boot ROMs
Contextadmin reboot
Treereboot
Introduced16.0.R1

Platforms

All

[card] keyword
Synopsis Card to reboot
Contextadmin reboot [card] keyword
Tree[card]
Optionsactive, standby, upgrade
Introduced16.0.R1

Platforms

All

hold
Synopsis Hold a rebooted standby CPM from coming back online
Contextadmin reboot hold
Treehold
Introduced19.10.R1

Platforms

7750 SR-7s, 7750 SR-14s, VSR

now
Synopsis Reboot immediately without prompts or confirmation
Contextadmin reboot now
Treenow
Introduced16.0.R1

Platforms

All

redundancy

Synopsis Enter the redundancy context
Context admin redundancy
Treeredundancy
Introduced16.0.R1

Platforms

All

synchronize
Synopsis Synchronize the standby CPM
Context admin redundancy synchronize
Treesynchronize
Introduced20.10.R1

Platforms

All

boot-environment
Synopsis Synchronize all files required for the boot process
Contextadmin redundancy synchronize boot-environment
Treeboot-environment

Notes

The following elements are part of a mandatory choice: boot-environment, certificate, or configuration.

Introduced20.10.R1

Platforms

All

certificate
Synopsis Synchronize imported certificate, key, and CRL files
Contextadmin redundancy synchronize certificate
Treecertificate

Notes

The following elements are part of a mandatory choice: boot-environment, certificate, or configuration.

Introduced23.3.R1

Platforms

All

configuration
Synopsis Synchronize the configuration files
Context admin redundancy synchronize configuration
Treeconfiguration

Description

When specified, the system synchronizes the primary, secondary, and tertiary configuration files.

Notes

The following elements are part of a mandatory choice: boot-environment, certificate, or configuration.

Introduced20.10.R1

Platforms

All

satellite

Synopsis Perform administrative operations for satellites
Contextadmin satellite
Treesatellite
Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

ethernet-satellite [satellite-id] reference
Synopsis Enter the ethernet-satellite list instance
Contextadmin satellite ethernet-satellite reference
Treeethernet-satellite
Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

[satellite-id] reference
Synopsis Satellite ID
Contextadmin satellite ethernet-satellite reference
Treeethernet-satellite

Reference

state satellite ethernet-satellite number

Notes

This element is part of a list key.

Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

reboot
Synopsis Initiate an administrative reboot of the chassis
Contextadmin satellite ethernet-satellite reference reboot
Treereboot
Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

now
Synopsis Reboot immediately without prompts or confirmation
Contextadmin satellite ethernet-satellite reference reboot now
Treenow
Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

tech-support
Synopsis Save satellite technical support information
Contextadmin satellite ethernet-satellite reference tech-support
Treetech-support

Description

This command creates a system core dump. If no file URL is specified and the ts-location command is configured in the configure system security tech-support context, the technical support file is automatically generated by the system with the file name based on the system name and the date and time, and is saved to the directory indicated by the ts-location configuration.

The format of the auto-generated file name is ts-XXXXX.YYYYMMDD.HHMMUTC.dat, where:

  • XXXXX is the system name with special characters expanded to avoid problems with file systems (for example, a period (.) is expanded to %2E)

  • YYYYMMDD is the date with leading zeros on the year, month, and day

  • HHMM is the hours and minutes in UTC time (24 hour format, always 4 characters, with leading zeros on the hours and minutes)

Note: This command is not supported over non-interactive interfaces (for example, NETCONF).

Note: This command should only be used with authorized direction from the Nokia Technical Assistance Center (TAC).

Introduced22.2.R1

Platforms

7450 ESS, 7750 SR, 7750 SR-a, 7750 SR-e, 7750 SR-s, 7950 XRS

save

Synopsis Perform configuration save operations
Contextadmin save
Treesave
Introduced16.0.R1

Platforms

All

bof
Synopsis Save the BOF region configuration
Context admin save bof
Treebof

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced20.10.R1

Platforms

All

configure
Synopsis Save the configure region configuration
Contextadmin save configure
Treeconfigure

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced20.7.R2

Platforms

All

debug
Synopsis Save the debug region configuration
Context admin save debug
Treedebug

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced21.5.R1

Platforms

All

li
Synopsis Save the LI region configuration
Context admin save li
Treeli

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced19.10.R1

Platforms

All

[url] string
Synopsis Location to save the configuration
Context admin save [url] string
Tree[url]
Introduced16.0.R1

Platforms

All

set

Synopsis Enter the set context
Context admin set
Treeset
Introduced19.10.R1

Platforms

All

time
Synopsis System date and time
Context admin set time
Treetime
Introduced19.10.R1

Platforms

All

[system-time] string
Synopsis System date and time
Context admin set time [system-time] string
Tree[system-time]

Description

This command sets the system date and time. The time zone may optionally be specified. When the time zone is not specified, the system uses the configured system time zone.

Notes

This element is mandatory.

Introduced19.10.R1

Platforms

All

show

Synopsis Enter the show context
Context admin show
Treeshow
Introduced16.0.R1

Platforms

All

configuration
Synopsis Show the current configuration
Context admin show configuration
Treeconfiguration
Introduced16.0.R1

Platforms

All

bof
Synopsis Show the BOF region configuration
Context admin show configuration bof
Treebof

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced20.10.R1

Platforms

All

booted
Synopsis Show the booted BOF configuration
Context admin show configuration booted
Treebooted

Notes

The following elements are part of a choice: booted or cflash-id.

Introduced20.10.R1

Platforms

All

cflash-id string
Synopsis Show the BOF configuration file on a compact flash
Contextadmin show configuration cflash-id string
Treecflash-id
String Length4 to 6

Notes

The following elements are part of a choice: booted or cflash-id.

Introduced20.10.R1

Platforms

All

configure
Synopsis Show the configure region configuration
Contextadmin show configuration configure
Treeconfigure

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced20.7.R1

Platforms

All

debug
Synopsis Show the debug region configuration
Context admin show configuration debug
Treedebug

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced21.5.R1

Platforms

All

flat
Synopsis Show the context from the pwc on each line
Contextadmin show configuration flat
Treeflat

Notes

The following elements are part of a choice: flat, full-context, json, or xml.

Introduced20.7.R1

Platforms

All

full-context
Synopsis Show the full context on each line
Context admin show configuration full-context
Treefull-context

Notes

The following elements are part of a choice: flat, full-context, json, or xml.

Introduced20.7.R1

Platforms

All

intended
Synopsis Show the intended configuration
Context admin show configuration intended
Treeintended

Notes

The following elements are part of a choice: intended or running.

Introduced20.7.R1

Platforms

All

json
Synopsis Show the output in indented JSON format
Contextadmin show configuration json
Treejson

Notes

The following elements are part of a choice: flat, full-context, json, or xml.

Introduced19.10.R1

Platforms

All

li
Synopsis Show the LI region configuration
Context admin show configuration li
Treeli

Notes

The following elements are part of a choice: bof, configure, debug, or li.

Introduced19.10.R1

Platforms

All

running
Synopsis Show the running configuration
Context admin show configuration running
Treerunning

Notes

The following elements are part of a choice: intended or running.

Introduced20.7.R1

Platforms

All

xml
Synopsis Show the output in indented XML format
Contextadmin show configuration xml
Treexml

Notes

The following elements are part of a choice: flat, full-context, json, or xml.

Introduced20.7.R1

Platforms

All

system

Synopsis Enter the system context
Context admin system
Treesystem
Introduced16.0.R6

Platforms

All

license
Synopsis Enter the license context
Context admin system license
Treelicense
Introduced19.10.R1

Platforms

All

management-interface
Synopsis Enter the management-interface context
Contextadmin system management-interface
Treemanagement-interface
Introduced21.5.R1

Platforms

All

operations
Synopsis Enter the operations context
Context admin system management-interface operations
Treeoperations

Description

Commands in this context are used to manage YANG-based operations (for example, admin reboot, or ping) in model-driven interfaces.

Introduced21.5.R1

Platforms

All

delete-operation
Synopsis Stop and remove an operation
Context admin system management-interface operations delete-operation
Treedelete-operation

Description

This command removes an operation and all status and data associated with it. If the operation was executing, it is stopped before removal.

Introduced21.5.R1

Platforms

All

op-table-bypass boolean
Synopsis Avoid operation ID allocation
Context admin system management-interface operations delete-operation op-table-bypass boolean
Treeop-table-bypass

Description

When configured to true, the system bypasses the YANG-based operations infrastructure and avoids the allocation of an operation ID. This is useful if the global operations table is full and a delete operation or admin disconnect is required.

Introduced21.5.R1

Platforms

All

stop-operation
Synopsis Stop the execution of an operational command
Contextadmin system management-interface operations stop-operation
Treestop-operation

Description

This command stops the execution of an operational command.

An operation launched as "asynchronous" is not deleted from the system when it is stopped. Status and other data associated with the operation persist until the operation is explicitly deleted using the delete operation command or a retention timeout.

Introduced21.5.R1

Platforms

All

op-table-bypass boolean
Synopsis Avoid operation ID allocation
Context admin system management-interface operations stop-operation op-table-bypass boolean
Treeop-table-bypass

Description

When configured to true, the system bypasses the YANG-based operations infrastructure and avoids the allocation of an operation ID. This is useful if the global operations table is full and a delete operation or admin disconnect is required.

Introduced21.5.R1

Platforms

All

security
Synopsis Enter the security context
Context admin system security
Treesecurity
Introduced16.0.R6

Platforms

All

hash-control
Synopsis Enter the hash-control context
Contextadmin system security hash-control
Treehash-control
Introduced16.0.R6

Platforms

All

custom-hash
Synopsis Custom encryption
Context admin system security hash-control custom-hash
Treecustom-hash
Introduced16.0.R6

Platforms

All

algorithm keyword
Synopsis Algorithm for custom encryption
Context admin system security hash-control custom-hash algorithm keyword
Treealgorithm

Description

This command configures the algorithm for custom encryption. The encryption uses ECB mode, PKCS#7 padding, and Base64 encoding.

Options3des, aes128, aes192, aes256

Notes

This element is mandatory.

Introduced16.0.R6

Platforms

All

pki
Synopsis Perform PKI related operations
Context admin system security pki
Treepki

Description

Commands in this context specify options for public key infrastructure operations.

Introduced23.3.R1

Platforms

All

cmpv2
Synopsis Perform CMPv2 operations
Context admin system security pki cmpv2
Treecmpv2

Description

Commands in this context specify options for Certificate Management Protocol v2 (CMPv2) operations.

Introduced23.3.R1

Platforms

All

cert-request
Synopsis Request an additional certificate
Context admin system security pki cmpv2 cert-request
Treecert-request

Description

When specified, the system requests an additional certificate after the initial certificate has been obtained from the CA.

The request is authenticated by a signature signed by the current key, along with the current certificate. The hash algorithm used for the signature depends on the key type:

  • DSA key - SHA1

  • RSA key: MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 (default is SHA1)

  • ECDSA key: SHA1 | SHA224 | SHA256 | SHA384 | SHA512 (default is SHA256)

CA may not return a certificate immediately, for example, if the request process requires manual intervention. The poll command can be used to poll the status of the request.

Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki cmpv2 cert-request ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

current-key string
Synopsis Imported key file used to create the request
Contextadmin system security pki cmpv2 cert-request current-key string
Treecurrent-key

Description

This command specifies the imported key file corresponding to the existing imported certificate file used to create the request.

String Length1 to 95

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

domain-name string
Synopsis FQDNs for the Subject Alternative Name
Contextadmin system security pki cmpv2 cert-request domain-name string
Treedomain-name

Description

This command specifies the Fully Qualified Domain Names (FQDNs) for the Subject Alternative Name extension of the requesting certificate, separated by commas.

String Length1 to 512
Introduced23.3.R1

Platforms

All

ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address for the Subject Alternative Name
Contextadmin system security pki cmpv2 cert-request ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeip-address

Description

This command specifies an IPv4 or IPv6 address for the Subject Alternative Name extension of the requesting certificate.

Introduced23.3.R1

Platforms

All

subject-dn string
Synopsis Subject of the requesting certificate
Contextadmin system security pki cmpv2 cert-request subject-dn string
Treesubject-dn

Description

This command specifies the subject DN attributes used in the certificate request. The format is a comma separated list with the format attr1=val1, attr2=val2, where attrN={C | ST | O | OU | CN}.

String Length1 to 256
Introduced23.3.R1

Platforms

All

clear-request
Synopsis Clear pending CMPv2 requests
Context admin system security pki cmpv2 clear-request
Treeclear-request

Description

When specified, the system clears pending CMPv2 requests for the specified CA. If no requests are pending, the system clears the saved result of the previous request

Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki cmpv2 clear-request ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

initial-registration
Synopsis Request initial certificate using the CMPv2 protocol
Contextadmin system security pki cmpv2 initial-registration
Treeinitial-registration

Description

When specified, the system requests the initial certificate from the CA using the CMPv2 initial registration procedure.

The ca-profile parameter specifies a CA profile which includes CMP server information.

The key-to-certify parameter is an imported key file to be certified by the CA.

The request is authenticated via one of the following methods:

  • A password and a reference number that pre-distributed by CA via out-of-band means. The specified password and reference number are not necessarily in the key-list configured in the corresponding CA-Profile. If key-list is not configured in the corresponding CA profile, the system uses the existing password to authenticate the CMPv2 packets from server if it is in password protection. If key-list is configured in the corresponding CA profile and the server does not send SenderKID, the system uses the lexicographical first key in the key-list to authenticate the CMPv2 packets from the server in case it is in password protection mode.

  • A signature signed by the protection-key or key-to-certify, optionally with with the corresponding certificate. If the protection-key command is not specified, the system uses the key-to-certify configuration for message protection. The hash algorithm used for the signature depends on the key type. See the cert-request command for details. Optionally, the system may send a certificate or a chain of certificates in the extraCertsfield. The certificate is specified by the certificate parameter and must include the public key of the key used for message protection. Sending a chain is enabled by specifying the send-chain and with-ca command options.

The subject-dn command specifies the subject of the requesting certificate.

The save-as command specifies the full path name for saving the result certificate.

The CA may not return the certificate immediately, for example, if the request process requires manual intervention. In such cases, the poll command can be used to poll the status of the request.

Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki cmpv2 initial-registration ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

certificate string
Synopsis Filename of the certificate for the protection key
Contextadmin system security pki cmpv2 initial-registration certificate string
Treecertificate
String Length1 to 95

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

domain-name string
Synopsis FQDNs for the Subject Alternative Name
Contextadmin system security pki cmpv2 initial-registration domain-name string
Treedomain-name

Description

This command specifies the Fully Qualified Domain Names (FQDNs) for the Subject Alternative Name extension of the requesting certificate, separated by commas.

String Length1 to 512
Introduced23.3.R1

Platforms

All

hash-algorithm keyword
Synopsis Hash algorithm used for the certificate signature
Contextadmin system security pki cmpv2 initial-registration hash-algorithm keyword
Treehash-algorithm
Optionsmd5, sha1, sha224, sha256, sha384, sha512

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address for the Subject Alternative Name
Contextadmin system security pki cmpv2 initial-registration ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeip-address

Description

This command specifies an IPv4 or IPv6 address for the Subject Alternative Name extension of the requesting certificate.

Introduced23.3.R1

Platforms

All

password string
Synopsis Password for message protection
Context admin system security pki cmpv2 initial-registration password string
Treepassword
String Length1 to 64

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

protection-key string
Synopsis Key file used to generate message protection signature
Contextadmin system security pki cmpv2 initial-registration protection-key string
Treeprotection-key
String Length1 to 95

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

reference string
Synopsis Password reference number
Context admin system security pki cmpv2 initial-registration reference string
Treereference
String Length1 to 64

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

subject-dn string
Synopsis Subject of the requesting certificate
Contextadmin system security pki cmpv2 initial-registration subject-dn string
Treesubject-dn

Description

This command specifies the subject DN attributes used in the certificate request. The format is a comma separated list with the format attr1=val1, attr2=val2, where attrN={C | ST | O | OU | CN}.

String Length1 to 256
Introduced23.3.R1

Platforms

All

with-ca reference
Synopsis Name of CA profile with certificate in the send chain
Contextadmin system security pki cmpv2 initial-registration with-ca reference
Treewith-ca

Reference

state system security pki ca-profile string

Notes

The following elements are part of a mandatory choice: (certificate, hash-algorithm, protection-key, send-chain, and with-ca) or (password and reference).

Introduced23.3.R1

Platforms

All

key-update
Synopsis Request new certificate to update existing certificate
Contextadmin system security pki cmpv2 key-update
Treekey-update

Description

When specified, the system requests a new certificate from the CA to update an existing certificate due to reasons such as a key refresh or to replace a compromised key.

The CA may not return the certificate immediately, for example, if the request process requires manual intervention. In these cases, the poll command can be used to poll the status of the request.

Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki cmpv2 key-update ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

poll
Synopsis Poll the CMPv2 server for pending request status
Contextadmin system security pki cmpv2 poll
Treepoll

Description

When specified, the system polls the status of the pending CMPv2 request toward the specified CA.

If the response is ready, the system resumes the CMPv2 protocol exchange with the server.

SR OS allows only one pending CMP request per CA; therefore, no new request is allowed when a pending request is present.

Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki cmpv2 poll ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

convert-file
Synopsis Convert imported file between secure and legacy format
Contextadmin system security pki convert-file
Treeconvert-file
Introduced23.3.R1

Platforms

All

force
Synopsis Force the conversion
Context admin system security pki convert-file force
Treeforce

Description

When specified, the system forces the conversion of imported certificates and keys even if files with the same output names exist.

Introduced23.3.R1

Platforms

All

[output-file] string
Synopsis Output filename
Context admin system security pki convert-file [output-file] string
Tree[output-file]

Description

This command specifies the output filename. If the filename already exists, the system prompts the user to proceed or aborts if the force command is unconfigured.

String Length1 to 95

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

crl-update
Synopsis Trigger the CRL update for the CA profile
Contextadmin system security pki crl-update
Treecrl-update
Introduced23.3.R1

Platforms

All

ca-profile reference
Synopsis PKI CA profile name
Context admin system security pki crl-update ca-profile reference
Treeca-profile

Description

This command configures the CA profile that contains the CMPv2 configuration like server URL.

Reference

state system security pki ca-profile string

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

est
Synopsis Perform Enrollment over Secure Transport operations
Contextadmin system security pki est
Treeest

Description

Commands in this context configure command options for Enrollment over Secure Transport (EST) protocol operations.

Introduced23.3.R1

Platforms

All

ca-certificates
Synopsis Download CA certificates from the EST server
Contextadmin system security pki est ca-certificates
Treeca-certificates

Description

This command downloads a Certificate Authority (CA) certificate from an EST server specified by the profile name.

Introduced23.3.R1

Platforms

All

enroll
Synopsis Enroll a new certificate with CA with the EST protocol
Contextadmin system security pki est enroll
Treeenroll

Description

When specified, the system enrolls a new certificate with Certificate Authority (CA) by the EST protocol specified with the est-profile command with a imported private key specified by the key command.

The est-profile commad specifies the authentication between the system and EST server.

The hash-alg, subject-dn, domain-name, and ip-address commands are used to generate the Certificate Signing Request (CSR) in the EST request message. The domain-name and ip-address commands are used as subject alternative names.

If validate-certificate-chain is specified, the system validates the chain of result certificate before importing it. The certificate chain is the chain of all certificates from the result certificate to the issuing CA. The result certificate is the new certificate returned by the EST server.

The result certificate is imported and saved with the filename specified by the output-file command. If the force command is specified, the system overwrites the existing file with same name as the output file.

Introduced23.3.R1

Platforms

All

domain-name string
Synopsis FQDNs for the Subject Alternative Name
Contextadmin system security pki est enroll domain-name string
Treedomain-name

Description

This command specifies the Fully Qualified Domain Names (FQDNs) for the Subject Alternative Name extension of the requesting certificate, separated by commas.

String Length1 to 512
Introduced23.3.R1

Platforms

All

ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address for the Subject Alternative Name
Contextadmin system security pki est enroll ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeip-address

Description

This command specifies an IPv4 or IPv6 address for the Subject Alternative Name extension of the requesting certificate.

Introduced23.3.R1

Platforms

All

key string
Synopsis Name of the imported the key file to enroll
Contextadmin system security pki est enroll key string
Treekey
String Length1 to 200

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

subject-dn string
Synopsis Subject of the requesting certificate
Contextadmin system security pki est enroll subject-dn string
Treesubject-dn

Description

This command specifies the subject DN attributes used in the certificate request. The format is a comma separated list with the format attr1=val1, attr2=val2, where attrN={C | ST | O | OU | CN}.

String Length1 to 256
Introduced23.3.R1

Platforms

All

renew
Synopsis Renew a CA certificate using the EST protocol
Contextadmin system security pki est renew
Treerenew

Description

When specified, the system renews an imported certificate (specified by the certificate command) with a Certificate Authority (CA) using the EST protocol specified by the est-profile parameter, with an imported private key specified the key command. The key can be either the key of the certificate to be renewed or a new key.

The authentication between system and EST server is specified by the est-profile parameter.

The system uses the hash-alg command to generate the CSR in the EST request message.

Introduced23.3.R1

Platforms

All

key string
Synopsis Imported key file of the certificate to renew
Contextadmin system security pki est renew key string
Treekey
String Length1 to 200

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

export
Synopsis Export an imported file
Context admin system security pki export
Treeexport
Introduced23.3.R1

Platforms

All

format keyword
Synopsis Output file format
Context admin system security pki export format keyword
Treeformat
Optionspkcs12, pkcs7-der, pkcs7-pem, pem, der

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

key-file string
Synopsis Name of the key file to be exported
Context admin system security pki export key-file string
Treekey-file

Description

This command specifies the name of the key file to be exported when the output format may contain the certificate and the key.

String Length1 to 95
Introduced23.3.R1

Platforms

All

type keyword
Synopsis Type of file to be exported
Context admin system security pki export type keyword
Treetype
Optionscertificate, key, crl

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

generate-csr
Synopsis Generate a PKCS#10 certificate signing request file
Contextadmin system security pki generate-csr
Treegenerate-csr
Introduced23.3.R1

Platforms

All

domain-name string
Synopsis FQDNs for the Subject Alternative Name
Contextadmin system security pki generate-csr domain-name string
Treedomain-name

Description

This command specifies the Fully Qualified Domain Names (FQDNs) for the Subject Alternative Name extension of the requesting certificate, separated by commas.

String Length1 to 512
Introduced23.3.R1

Platforms

All

ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis IP address for the Subject Alternative Name
Contextadmin system security pki generate-csr ip-address (ipv4-address-no-zone | ipv6-address-no-zone)
Treeip-address

Description

This command specifies an IPv4 or IPv6 address for the Subject Alternative Name extension of the requesting certificate.

Introduced23.3.R1

Platforms

All

subject-dn string
Synopsis Subject of the requesting certificate
Contextadmin system security pki generate-csr subject-dn string
Treesubject-dn

Description

This command specifies the subject DN attributes used in the certificate request. The format is a comma separated list with the format attr1=val1, attr2=val2, where attrN={C | ST | O | OU | CN}.

String Length1 to 256
Introduced23.3.R1

Platforms

All

use-printable
Synopsis Force ASCII encoding for input subject DN attributes
Contextadmin system security pki generate-csr use-printable
Treeuse-printable

Description

When specified, the system forces the use of ASCII encoding for the input subject DN attributes. Otherwise, the system uses UTF-8 encoding.

Introduced23.3.R1

Platforms

All

generate-keypair
Synopsis Generate PKI key pair
Context admin system security pki generate-keypair
Treegenerate-keypair

Description

When specified, the system generates an RSA, DSA, or ECDSA private/public key pair file

Introduced23.3.R1

Platforms

All

dsa-key-size number
Synopsis Length of the DSA key to be generated
Contextadmin system security pki generate-keypair dsa-key-size number
Treedsa-key-size
Range512 to 8192
Default2048

Notes

The following elements are part of a mandatory choice: dsa-key-size, ecdsa-curve, or rsa-key-size.

Introduced23.3.R1

Platforms

All

ecdsa-curve keyword
Synopsis Elliptic curve of the ECDSA key to be generated
Contextadmin system security pki generate-keypair ecdsa-curve keyword
Treeecdsa-curve
Defaultsecp256r1
Optionssecp256r1, secp384r1, secp521r1

Notes

The following elements are part of a mandatory choice: dsa-key-size, ecdsa-curve, or rsa-key-size.

Introduced23.3.R1

Platforms

All

rsa-key-size number
Synopsis Length of the RSA key to be generated
Contextadmin system security pki generate-keypair rsa-key-size number
Treersa-key-size
Range512 to 8192
Default2048

Notes

The following elements are part of a mandatory choice: dsa-key-size, ecdsa-curve, or rsa-key-size.

Introduced23.3.R1

Platforms

All

import
Synopsis Import a certificate related file
Context admin system security pki import
Treeimport

Description

When specified, the system imports an input file (key/certificate/CRL) to be used by SROS applications. The following summarizes the supported formats:

  • Certificate - PKCS #12, PKCS #7 PEM encoded, PKCS #7 DER encoded, PEM, DER

  • Key - PKCS #12, PEM, DER

  • CRL - PKCS #7 PEM encoded, PKCS #7 DER encoded, PEM, DER

Introduced23.3.R1

Platforms

All

format keyword
Synopsis Output file format
Context admin system security pki import format keyword
Treeformat
Optionspkcs12, pkcs7-der, pkcs7-pem, pem, der

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

type keyword
Synopsis Type of file to be exported
Context admin system security pki import type keyword
Treetype
Optionscertificate, key, crl

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

reload
Synopsis Reload key or certificate files
Context admin system security pki reload
Treereload

Description

When specified, the system reloads the key or certificate files for the specified application.This command can be used to ensure a changed imported file takes effect.

Introduced23.3.R1

Platforms

All

key string
Synopsis Name of the key file to reload
Context admin system security pki reload key string
Treekey
String Length1 to 95

Notes

This element is mandatory.

Introduced23.3.R1

Platforms

All

show
Synopsis Enter the show context
Context admin system security pki show
Treeshow

Description

Commands in this context include operations to display the PKI file.

Introduced23.3.R1

Platforms

All

file-content
Synopsis Display content of certificate related files
Contextadmin system security pki show file-content
Treefile-content
Introduced23.3.R1

Platforms

All

update-certificate
Synopsis Update End Entity certificate
Context admin system security pki update-certificate
Treeupdate-certificate

Description

When specified, the system triggers an update for the specified certificate according to the corresponding configure system security pki certificate-auto-update configuration.

Introduced23.3.R1

Platforms

All

telemetry
Synopsis Enter the telemetry context
Context admin system telemetry
Treetelemetry
Introduced19.10.R1

Platforms

All

grpc
Synopsis Enter the grpc context
Context admin system telemetry grpc
Treegrpc
Introduced19.10.R1

Platforms

All

cancel
Synopsis Cancel the gRPC dynamic telemetry subscription
Contextadmin system telemetry grpc cancel
Treecancel
Introduced19.10.R1

Platforms

All

all
Synopsis Cancel gRPC dynamic telemetry for all subscriptions
Contextadmin system telemetry grpc cancel all
Treeall

Notes

The following elements are part of a mandatory choice: all or subscription-id.

Introduced19.10.R1

Platforms

All

subscription-id number
Synopsis ID of the telemetry subscription to cancel
Contextadmin system telemetry grpc cancel subscription-id number
Treesubscription-id
Max. Range0 to 4294967295

Notes

The following elements are part of a mandatory choice: all or subscription-id.

Introduced19.10.R1

Platforms

All

tech-support

Synopsis Save technical support information to a file
Contextadmin tech-support
Treetech-support
Introduced20.10.R1

Platforms

All

[url] string
Synopsis URL to save technical support information
Contextadmin tech-support [url] string
Tree[url]
String Length1 to 180
Introduced20.10.R1

Platforms

All