beautypg.com

Verifying pki certificates, Verifying pki certificates with crl checking – H3C Technologies H3C SecPath F1000-E User Manual

Page 322

background image

310

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Retrieve a certificate

manually.

In online mode:

pki retrieval-certificate { ca | local }
domain domain-name

In offline mode:

pki import-certificate { ca | local } domain
domain-name { der | p12 | pem }

[ filename filename ]

Use either command.
The pki retrieval-certificate

configuration will not be saved
in the configuration file.

NOTE:

In FIPS mode, make sure the algorithm in the certificate is supported by FIPS mode. Otherwise, the

certificate cannot be imported to the firewall.

Verifying PKI certificates

A certificate needs to be verified before being used. Verifying a certificate will check that the certificate

is signed by the CA and that the certificate has neither expired nor been revoked.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,

CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and
CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to

retrieve the CA certificate.

Verifying PKI certificates with CRL checking

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name

N/A

3.

Specify the URL of the CRL
distribution point.

crl url url-string

Optional.
No CRL distribution point URL is
specified by default.

4.

Set the CRL update period.

crl update-period hours

Optional.
By default, the CRL update period
depends on the next update field in

the CRL file.

5.

Enable CRL checking.

crl check enable

Optional.
Enabled by default.

6.

Return to system view.

quit

N/A

7.

Retrieve the CA certificate.

See "

Retrieving a certificate

manually

"

N/A

8.

Retrieve CRLs.

pki retrieval-crl domain
domain-name

N/A

9.

Verify the validity of a

certificate.

pki validate-certificate { ca | local }
domain domain-name

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: