1228 CHAPTER 97: PKI CONFIGURATION
Configuring CRL-checking-disabled PKI certificate validation
Follow these steps to configure CRL-checking-disabled PKI certificate validation:
n
■ The CRL update period refers to the interval at which the entity downloads
CRLs from the CRL server. The CRL update period configured manually is prior
to that specified in the CRLs.
■ The pki retrieval-crl domain configuration will not be saved in the
configuration file.
Destroying a Local
RSA Key Pair
A certificate has a lifetime, which is determined by the CA. When the private key
leaks or the certificate is about to expire, you can destroy the old RSA key pair and
then create a pair to request a new certificate.
Follow these steps to destroy a local RSA key pair:
Specify the URL of the CRL
distribution point
crl url url-string Optional
No CRL distribution point URL
is specified by default.
Set the CRL update period crl update-period hours Optional
By default, the CRL update
period depends on the next
update field in the CRL file.
Enable CRL checking crl check enable Optional
Enabled by default
Return to system view quit -
Retrieve the CA certificate Refer to “Retrieving a
Certificate Manually” on page
1226
Required
Retrieve CRLs pki retrieval-crl domain
domain-name
Required
Verify the validity of a
certificate
pki validate-certificate { ca |
local } domain domain-name
Required
To do… Use the command… Remarks
Enter system view system-view -
Enter PKI domain view pki domain domain-name -
Disable CRL checking crl check disable Required
Enabled by default
Return to system view quit -
Retrieve the CA certificate Refer to “Retrieving a
Certificate Manually” on page
1226
Required
Verify the validity of the
certificate
pki validate-certificate { ca |
local } domain domain-name
Required
To do… Use the command… Remarks
To do… Use the command… Remarks
Enter system view system-view -
To Next Page
Loading...
