195
CAUTION:
ï‚· If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This restriction
helps avoid inconsistency between the certificate and registration information resulted from configuration
changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA
certificate and the local certificate first.
ï‚· The pki retrieval-certificate configuration will not be saved in the configuration file.
ï‚· Be sure that the device system time falls in the validity period of the certificate so that the certificate is valid.
Configuring PKI certificate verification
A certificate needs to be verified before being used. Verifying a certificate is to check whether the
certificate is signed by the CA and whether the certificate has expired or been revoked.
Before verifying a certificate, you must retrieve the CA certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
Specify the URL of the CRL
distribution point
Optional
No CRL distribution point URL is
specified by default.
Set the CRL update period
Optional
By default, the CRL update period
depends on the next update field
in the CRL file.
Optional
Enabled by default
Retrieve the CA certificate
See ―Retrieving a certificate
manually―
pki retrieval-crl domain domain-
name
Verify the validity of a certificate
pki validate-certificate { ca | local
} domain domain-name
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification:
To Next Page
Loading...
Need help?
General