Configuring pki certificate verification, Configuring pki certificate – H3C Technologies H3C S3600 Series Switches User Manual
Page 1175
1-10
z
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is
in order to avoid inconsistency between the certificate and registration information due to related
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command
to delete the existing CA certificate and local certificate first.
z
The pki retrieval-certificate configuration will not be saved in the configuration file.
Configuring PKI Certificate Verification
A certificate needs to be verified before being used. Verifying a certificate is to check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
Before verifying a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter PKI domain view
pki domain domain-name
—
Specify the URL of the CRL
distribution point
crl url url-string
Optional
No CRL distribution point URL
is specified by default.
Set the CRL update period
crl update-period hours
Optional
0 by default
Enable CRL checking
undo crl check disable
Optional
Enabled by default
Return to system view
quit
—
Retrieve the CA certificate
Required
Retrieve CRLs
pki retrieval-crl domain
domain-name
Required
Verify the validity of a certificate
pki validate-certificate { ca |
local } domain domain-name
Required
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification:
To do…
Use the command…
Remarks
Enter system view
system-view
—