Re: A5120 https web interface access (1744 Views)
Posts: 19
Registered: ‎04-29-2013
Message 1 of 3 (1,759 Views)

A5120 https web interface access

We seen https configuration, involving certificate request to a CA. Can be configured https access to A5120 Web interface with a self signed certificate ? to avoid long and complex configuration ?

Can you write minimum necessary commands so, we can access web interface safaly in https ?


We see this example configuration:


Very complex only to allow https access to web interface...



Thank you

Honored Contributor
Posts: 344
Registered: ‎03-21-2011
Message 2 of 3 (1,744 Views)

Re: A5120 https web interface access

[ Edited ]



newer comware releases have a simplified https configuration, which just requires enabling https (if no cert available, it will use/generate a selfsigned cert).


To original version was quite hard (IMO), it took me quite some time to just get a selfsigned cert to work, but it worked in the end.


Attached the procedure I had saved at the time. Same text below:


****** Configuration steps to import an external certificate on Comware *****
Author     Peter Debruyne (
Date     27/11/2011
Version    1.0

#### copy the exported CA Certificate file and the Personal Certificate file to flash
# user-view
tftp get hpn_ca.cer
tftp get hpn_local.pfx

#### set correct date and time on Comware, required for the certificate validation (date)
# user-view
clock datetime xxxx

#### Define PKI Domain configuration object.
# system-view
pki domain hpn
 # Default CRL is enabled, so CA must be reachable when importing a Certificate.
 # Since offline procedure is used, the CA is not reachable, so CRL check must be disabled.
 crl check disable
 # optional, otherwise fingerprint will be prompted during import
 # This is the fingerprint from the current example CA Certificate, adjust this if
 # you use your own CA certificate.
 root-certificate fingerprint sha1 0ACB034B202A5C120C61CD8BC4568E41FC9FC78C

#### Import the CA cert
# The device will look for pki-domain-name_ca.cer
# so the default filename (hpn_ca.cer) should work. At this stage, Comware also validates the
# certificate, so date time should be within the certificate valid dates.
# In case Certificate Revokation List (CRL) is still active, Comware will try to contact the CA.
# If there is any issue, the CA cert validation fails.
pki import-certificate ca domain hpn der
#### Import the Device cert
# the sample certificate sslvpn.hpnet.local has been exported from a Windows server, as a pfx file.
# It contains the Device certificate and the private key.
# the file is protected with password "password"

# Since a private key will be imported from the pfx file, the current
# local keys must be destroyed first (if they were created already), or import will fail:
public-key local destroy rsa

# Import the certificate
pki import-certificate local domain hpn p12 filename hpn_local.pfx
# At this point the certificate is available for use, so an SSL policy can be defined.

#### Define SSL-Server policy
ssl server-policy ssl
 pki-domain hpn

#### Use the SSL-Server Policy
# SSL-Server policy can be referenced to by https server or by ssl-vpn
ip https ssl-server-policy ssl
ip https enable

Best regards,Peter.

Posts: 19
Registered: ‎04-29-2013
Message 3 of 3 (1,733 Views)

Re: A5120 https web interface access

Thank you very much. We have updated to new image, so this worked:


[hp5120] undo ip https enable
[hp5120] ip https enable
[hp5120] save


However, we still kept your solution for old firmware. Very useful !


As you know, can be Web Interface Login "Verify Code" disabled ? this is very boring...

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.