beautypg.com

Retrieving a certificate manually, Configuring pki certificate validation, 9 configuring pki certificate validation – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 656

background image

68-9

Retrieving a Certificate Manually

You can download an existing CA certificate or local certificate from the CA server and save it locally. To
do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate by an
out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.

Certificate retrieval serves two purposes:

z

Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count;

z

Prepare for certificate validation.

Before retrieving a local certificate, be sure to complete LDAP server configuration.

Follow these steps to retrieve a certificate manually:

To do…

Use the command…

Remarks

Enter system view

system-view

Online

pki retrieval-certificate

{ ca | local } domain

domain-name

Retrieve a
certificate
manually

Offline

pki import-certificate

{ ca | local } domain

domain

-name { der | p12 | pem } [ filename

filename

]

Required
Use either command

z

If a PKI domain has already a CA certificate, you cannot retrieve another CA certificate for it. This is
in order to avoid inconsistency between the certificate and enrollment information due to related
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command
to delete the existing CA certificate and local certificate first.

z

The pki retrieval-certificate configuration will not be saved in the configuration file.

Configuring PKI Certificate Validation

A certificate needs to be validated before being used. Validating a certificate is to check that the
certificate is signed by the CA and that the certificate has neither expired nor been revoked.

Before validating a certificate, you need to retrieve the CA certificate.

You can specify whether CRL checking is required in certificate validation. If you enable CRL checking,
CRLs will be used in validation of a certificate.

Configuring CRL-checking-enabled PKI certificate validation

Follow these steps to configure CRL-checking-enabled PKI certificate validation:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter PKI domain view

pki domain domain-name

Specify the URL of the CRL
distribution point

crl url url-string

Optional
No CRL distribution point URL is
specified by default.

See also other documents in the category H3C Technologies Routers: