250
Verifying certificates with CRL checking
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3. Specify the URL of the CRL
distribution point.
crl url
url-string
Optional.
No CRL distribution point URL is
specified by default.
4. Set the CRL update period.
crl update-period
hours
Optional.
By default, the CRL update period
depends on the next update field
in the CRL file.
5. Enable CRL checking.
crl check
enable
Optional.
Enabled by default.
6. Return to system view.
quit
N/A
7. Retrieve the CA certificate.
See "
Retrieving a certificate
manually
"
N/A
8. Retrieve the CRLs.
pki retrieval-crl domain
domain-name
N/A
This command is not saved in the
configuration file.
9. Verify the validity of a
certificate.
pki validate-certificate
{
ca
|
local
}
domain
domain-name
N/A
Verifying certificates without CRL checking
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter PKI domain view.
pki domain
domain-name N/A
3. Disable CRL checking.
crl check
disable
Enabled by default.
4. Return to system view.
quit
N/A
5. Retrieve the CA certificate.
See "
Retrieving a certificate
manually
"
N/A
6. Verify the validity of the
certificate.
pki validate-certificate
{
ca
|
local
}
domain
domain-name
N/A
Destroying the local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the
certificate is about to expire, you can destroy the old RSA key pair and then create a pair to request
a new certificate.
To destroy the local RSA key pair:
To Next Page
Loading...
Need help?
General
