Configuring pki certificate verification, Configuring pki certificate – H3C Technologies H3C S5120 Series Switches User Manual
Page 456
1-10
z
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is
in order to avoid inconsistency between the certificate and registration information due to related
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command
to delete the existing CA certificate and local certificate first.
z
The pki retrieval-certificate configuration will not be saved in the configuration file.
z
Be sure that the device system time falls in the validity period of the certificate so that the certificate
is valid.
Configuring PKI Certificate Verification
A certificate needs to be verified before being used. Verifying a certificate is to check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
Before verifying a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter PKI domain view
pki domain domain-name
—
Specify the URL of the CRL
distribution point
crl url url-string
Optional
No CRL distribution point URL
is specified by default.
Set the CRL update period
crl update-period hours
Optional
By default, the CRL update
period depends on the next
update field in the CRL file.
Enable CRL checking
crl check enable
Optional
Enabled by default
Return to system view
quit
—
Retrieve the CA certificate
Required
Retrieve CRLs
pki retrieval-crl domain
domain-name
Required
Verify the validity of a certificate
pki validate-certificate { ca |
local } domain domain-name
Required
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification: