235
• If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate
and local certificates first.
• If local or peer certificates already exist, you can obtain new local or peer certificates to
overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for
signature and the other for encryption.
• If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
• The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the
CA server.
Configuration procedure
To obtain certificates:
1. Enter system view.
N/A
2. Obtain certificates.
• Import certificates in offline mode:
pki import domain domain-name { der
{ ca | local | peer } filename filename |
p12 local filename filename | pem { ca |
local | peer } [ filename filename ] }
• Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
The
pki
retrieve-certificate
command is not saved
file.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested
or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and
its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL
repository in the following order:
1. CRL repository specified in the PKI domain by using this command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP.
In this scenario, the CA certificate and the local certificates must have been obtained.
To verify certificates with CRL checking:
To Next Page
Loading...
Need help?
General