beautypg.com

Verifying pki certificates, Verifying pki certificate with crl checking – H3C Technologies H3C SecBlade LB Cards User Manual

Page 147

background image

136

Step Command

Remarks

2.

Retrieve a
certificate

manually

In online mode:

pki retrieval-certificate { ca | local } domain
domain-name

In offline mode:

pki import-certificate { ca | local } domain
domain-name { der | p12 | pem } [ filename filename ]

Use either command.
The pki

retrieval-certificate
configuration is not

saved in the

configuration file.

Verifying PKI certificates

A certificate needs to be verified before being used. Verifying a certificate will check that the certificate

is signed by the CA and that the certificate has neither expired nor been revoked.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and

CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to

retrieve the CA certificate.
The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
CRL update period setting manually configured on the device is prior to that carried in the CRLs.

Verifying PKI certificate with CRL checking

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name

N/A

3.

Specify the URL of the CRL
distribution point.

crl url url-string

Optional.
No CRL distribution point URL is

specified by default.

4.

Set the CRL update period.

crl update-period hours

Optional.
By default, the CRL update period

depends on the next update field in
the CRL file.

5.

Enable CRL checking.

crl check enable

Optional.
Enabled by default.

6.

Return to system view.

quit

N/A

7.

Retrieve the CA certificate.

See "

Retrieving a certificate

manually

"

N/A

8.

Retrieve the CRLs.

pki retrieval-crl domain
domain-name

N/A
This command is not saved in the
configuration file.

9.

Verify the validity of a
certificate.

pki validate-certificate { ca | local }
domain domain-name

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: