Applicable Environment
Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer
information, and certificate validity need to be authenticated. A valid certificate must be within
the validity period and has not been revoked.
A PKI entity uses any of the following methods to check the peer certificate status:
l Certificate revocation list (CRL)
l Online Certificate Status Protocol (OCSP)
l None: The PKI entity does not check the peer certificate status.
Pre-configuration Tasks
Before configuring certificate authentication, complete the following task:
Obtaining and enrolling a certificate
Data Preparation
To configure certificate authentication, you need the following data.
No. Data
1 PKI domain name
2 (Optional) CDP URL and interval at which a PKI entity
downloads a CRL from the CRL storage server
3 (Optional) OCSP server URL
12.6.2 Configuring the Certificate Check Mode
There are three certificate check modes: CRL, OCSP, or none.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
pki realm realm-name
A PKI domain is configured.
By default, no PKI domain is configured on the AR1200-S.
Step 3 Run:
certificate-check { crl | none | ocsp }
The certificate check mode is configured.
By default, the AR1200-S checks certificates using CRLs.
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security 12 PKI Configuration
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
248
To Next Page
Loading...
