228
Retrieving a certificate manually
You can download CA certificates and local certificates and save them locally. To do so, use either the
online mode or the offline mode. In offline mode, you must retrieve a certificate by an out-of-band means
like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves two purposes:
• Locally store the certificates associated with the local security domain for improved query efficiency
and reduced query count,
• Prepare for certificate verification.
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
Follow these steps to retrieve a certificate manually:
To do… Use the command… Remarks
Enter system view
system-view
—
Retrieve a
certificate
manually
Online
pki retrieval-certificate { ca | local } domain
domain-name
Required
Use either command.
Offline
pki import-certificate { ca | local } domain
domain-name { der | p12 | pem } [ filename
filename ]
CAUTION:
• If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted from
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to
delete the existing CA certificate and the local certificate first.
• The pki retrieval-certificate configuration will not be saved in the configuration file.
• Be sure that the device system time falls in the validity period of the certificate so that the certificate is
valid.
Configuring PKI certificate verification
A certificate needs to be verified before being used. Verifying a certificate will check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
Before verifying a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
To do… Use the command… Remarks
Enter system view system-view —
Enter PKI domain view pki domain domain-name —
To Next Page
Loading...
