Configuring PKI Certificate Validation 1227
mode, you need to retrieve a certificate by an out-of-band means like FTP, disk,
e-mail and then import it into the local PKI system.
Certificate retrieval serves two purposes:
■ Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count;
■ Prepare for certificate validation.
Before retrieving a local certificate, be sure to complete LDAP server configuration.
Follow these steps to retrieve a certificate manually:
c
CAUTION:
■ If a PKI domain has already a CA certificate, you cannot retrieve another CA
certificate for it. This is in order to avoid inconsistency between the certificate
and enrollment information due to related configuration changes. To retrieve a
new CA certificate, use the pki delete-certificate command to delete the
existing CA certificate and local certificate first.
■ The pki retrieval-certificate configuration will not be saved in the
configuration file.
Configuring PKI
Certificate Validation
A certificate needs to be validated before being used. Validating a certificate is to
check that the certificate is signed by the CA and that the certificate has neither
expired nor been revoked.
Before validating a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate validation. If you
enable CRL checking, CRLs will be used in validation of a certificate.
Configuring CRL-checking-enabled PKI certificate validation
Follow these steps to configure CRL-checking-enabled PKI certificate validation:
To do… Use the command… Remarks
Enter system view system-view -
Retrieve a certificate
manually
Online pki retrieval-certificate
{ ca | local } domain
domain-name
Required
Use either command
Offline pki import-certificate
{ ca | local } domain
domain-name { der | p12 |
pem } [ filename
filename ]
To do… Use the command… Remarks
Enter system view system-view -
Enter PKI domain view pki domain domain-name -
To Next Page
Loading...
