Verifying certificates without crl checking, Exporting certificates – H3C Technologies H3C S6300 Series Switches User Manual
Page 209
194
Verifying certificates without CRL checking
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter PKI domain view.
pki domain domain-name N/A
3.
Disable CRL checking.
undo crl check enable
By default, CRL checking is
enabled.
4.
Return to system view.
quit
N/A
5.
Obtain the CA certificate.
See "
."
N/A
6.
Verify the validity of the
certificates.
pki validate-certificate domain
domain-name { ca | local }
This command is not saved in the
configuration file.
Specifying the storage path for the certificates and
CRLs
CAUTION:
If you change the storage path, save the configuration before you reboot or shut down the device to avoid
loss of the certificates or the CRLs.
The device has a default storage path for the obtained local certificates and CRLs. You can change the
storage path and specify different paths for the certificates and CRLs.
After you change the storage path for the certificates or CRLs, the certificate files (with the file
extension .cer or .p12) and CRL files (with the extension .crl) in the original path are moved to the new
path.
To specify the storage path for the certificates and CRLs:
Task Command
Remarks
Specify the storage path for
the certificates and CRLs.
pki storage { certificates |
crls } dir-path
By default, the storage path for the certificates
and CRLs is the PKI directory on the storage
media of the device.
Exporting certificates
IMPORTANT:
To export all certificates in the PKCS12 format, the PKI domain must have at least one local certificate.
Otherwise, the export operation fails.
To back up or import certificates, you can export the CA certificate and the local certificates in a PKI
domain to local files or display them on a terminal.