288
When CRL checking is enabled:
• To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save
CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device
obtains the proper CRL from the CA server and saves it locally.
• To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current
CA to the root CA.
Examples
# Verify the validity of the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificate......
Serial Number:
f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=abc
OU=test
CN=aca
Verify result: OK
Verifying certificate......
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=ccc
OU=ppp
CN=rootca
Verify result: OK
# Verify the local certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa local
Verifying certificate......
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Issuer:
To Next Page
Loading...
