226
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and its
home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository
in the following order:
1. CRL repository specified in the PKI domain by using this command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this
scenario, the CA certificate and the local certificates must have been obtained.
To verify certificates with CRL checking:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. (Optional.) Specify the URL
of the CRL repository.
crl url url-string
By default, the URL of the CRL
repository is not specified.
4. Enable CRL checking.
crl check enable By default, CRL checking is enabled.
5. Return to system view.
quit N/A
6. Obtain the CA certificate.
See "Obtaining certificates." N/A
7. (Optional.) Obtain the CRL
and save it locally.
pki retrieve-crl domain
domain-name
The newly obtained CRL overwrites
the old one, if any.
The obtained CRL must be issued by
a CA certificate in the CA certificate
chain in the current domain.
8. Verify the validity of the
certificates.
pki validate-certificate domain
domain-name { ca | local }
N/A
Verifying certificates without CRL checking
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking.
undo crl check enable
By default, CRL checking is
enabled.
4. Return to system view.
quit N/A
To Next Page
Loading...
Need help?
General