274 
Verifying PKI certificates 
A certificate is automatically verified when it is requested, obtained, or used by an application. If the 
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used. 
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested 
or obtained. 
When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the 
CA certificate chain. To ensure a successful certificate verification process, the device must have all 
the PKI domains to which the CA certificates in the certificate chain belong. 
The system verifies the CA certificates in the CA certificate chain as follows: 
1.  Identifies the parent certificate of the lowest-level certificate. 
Each CA certificate contains an issuer field that identifies the parent CA that issued the 
certificate. 
2.  Locates the PKI domain to which the parent certificate belongs. 
3.  Performs CRL checking in the PKI domain to check whether the parent certificate has been 
revoked. If it has been revoked, the certificate cannot be used. 
This step will not be performed when CRL checking is disabled in the PKI domain. 
4.  Repeats the previous steps for upper-level certificates in the CA certificate chain until the root 
CA certificate is reached. 
5.  Verifies that each CA certificate in the certificate chain is issued by the named parent CA, 
starting from the root CA. 
Verifying certificates with CRL checking 
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and 
its home entity is not trusted. 
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL 
repository in the following order: 
1.  CRL repository specified in the PKI domain by using the crl url command. 
2.  CRL repository in the certificate that is being verified. 
3.  CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA 
certificate is the certificate being verified. 
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. 
In this scenario, the CA certificate and the local certificates must have been obtained. 
To verify certificates with CRL checking: 
 
Step Command Remarks 
1.  Enter system view. 
system-view 
N/A 
2.  Enter PKI domain view. 
pki domain
 domain-name N/A 
3.  (Optional.) Specify the URL 
of the CRL repository. 
crl url 
url-string [ 
vpn-instance
 
vpn-instance-name ] 
By default, the URL of the CRL 
repository is not specified.  
4.  Enable CRL checking. 
crl check enable 
By default, CRL checking is 
enabled.
 
5.  Return to system view. 
quit 
N/A 
6.  Obtain the CA certificate. 
See "Obtaining certificates."
 
N/A 
7.  (Optional.) Obtain the CRL 
pki retrieve-crl domain 
The newly obtained CRL overwrites