Verifying pki certificates without crl checking, Destroying the local rsa key pair, Deleting a certificate – H3C Technologies H3C SecBlade LB Cards User Manual
Page 148: Configuring an access control policy
137
Verifying PKI certificates without CRL checking
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter PKI domain view.
pki domain domain-name N/A
3.
Disable CRL checking.
crl check disable
Enabled by default.
4.
Return to system view.
quit
N/A
5.
Retrieve the CA certificate.
See "
Retrieving a certificate manually
N/A
6.
Verify the validity of the
certificate.
pki validate-certificate { ca | local } domain
domain-name
N/A
Destroying the local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
To destroy the local RSA key pair:
Step Command
1.
Enter system view.
system-view
2.
Destroy a local RSA key pair. public-key local destroy rsa
Deleting a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
To delete a certificate:
Step Command
1.
Enter system view.
system-view
2.
Delete certificates.
pki delete-certificate { ca | local } domain domain-name
Configuring an access control policy
By configuring a certificate attribute-based access control policy, you can further control access to the
server, providing additional security for the server.
To configure a certificate attribute-based access control policy:
Step Command
Remarks
1.
Enter system view.
system-view
N/A