251
Configuration guidelines
•
To import a local certificate containing an encrypted key pair, you must provide the challenge
password. Contact the CA administrator to obtain the password.
•
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the
pki delete-certificate
command to remove the existing CA certificate
and local certificates first.
•
If local or peer certificates already exist, you can obtain new local or peer certificates to
overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for
signature and the other for encryption.
•
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
•
The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the
CA server.
Configuration procedure
To obtain certificates:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Obtain certificates.
•
Import certificates in offline mode:
pki import domain
domain-name
{
der
{
ca
|
local
|
peer
}
filename
filename
|
p12 local filename
filename
|
pem
{
ca
|
local
|
peer
} [
filename
filename
] }
•
Obtain certificates in online mode:
pki retrieve-certificate
domain
domain-name
{
ca
|
local
|
peer
entity-name
}
The
pki
retrieve-certificate
command is not saved
in the configuration
file.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested
or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and
its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL
repository in the following order:
1.
CRL repository specified in the PKI domain by using this command.
2.
CRL repository in the certificate that is being verified.
3.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
Summary of Contents for 10500 series
Page 326: ...312 No duration limit for this SA ...