Retrieving a certificate manually, Configuring pki certificate validation, 9 configuring pki certificate validation – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 656
68-9
Retrieving a Certificate Manually
You can download an existing CA certificate or local certificate from the CA server and save it locally. To
do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate by an
out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.
Certificate retrieval serves two purposes:
z
Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count;
z
Prepare for certificate validation.
Before retrieving a local certificate, be sure to complete LDAP server configuration.
Follow these steps to retrieve a certificate manually:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Online
pki retrieval-certificate
{ ca | local } domain
domain-name
Retrieve a
certificate
manually
Offline
pki import-certificate
{ ca | local } domain
domain
-name { der | p12 | pem } [ filename
filename
]
Required
Use either command
z
If a PKI domain has already a CA certificate, you cannot retrieve another CA certificate for it. This is
in order to avoid inconsistency between the certificate and enrollment information due to related
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command
to delete the existing CA certificate and local certificate first.
z
The pki retrieval-certificate configuration will not be saved in the configuration file.
Configuring PKI Certificate Validation
A certificate needs to be validated before being used. Validating a certificate is to check that the
certificate is signed by the CA and that the certificate has neither expired nor been revoked.
Before validating a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate validation. If you enable CRL checking,
CRLs will be used in validation of a certificate.
Configuring CRL-checking-enabled PKI certificate validation
Follow these steps to configure CRL-checking-enabled PKI certificate validation:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter PKI domain view
pki domain domain-name
—
Specify the URL of the CRL
distribution point
crl url url-string
Optional
No CRL distribution point URL is
specified by default.