429
<Sysname> system-view
[Sysname] pki storage crls pki-new
pki validate-certificate
Use
pki validate-certificate
to verify the validity of certificates.
Syntax
pki validate-certificate
domain
domain-name
{
ca
|
local
}
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name
: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
The domain name cannot contain the special characters listed in
Table 58 Special characters
Character name
Symbol
Character name
Symbol
Tilde
~
Dot
.
Asterisk
*
Left angle bracket
<
Backslash
\
Right angle bracket
>
Vertical bar
|
Quotation marks
"
Colon
:
Apostrophe
'
ca
: Specifies the CA certificate.
local
: Specifies the local certificates.
Usage guidelines
Generally, certificates are automatically verified when you request, obtain, or import them, or when
an application uses PKI.
You can also use this command to manually verify a certificate in the following aspects:
•
Whether the certificate is issued by a trusted CA.
•
Whether the certificate has expired.
•
Whether the certificate is revoked. This check is performed only if CRL checking is enabled.
When CRL checking is enabled:
•
To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally
saved CRLs. If a correct CRL is found, the device loads the CRL to the PKI domain. If no correct
CRL is found locally, the device obtains a correct CRL from the CA server and saves it locally.
•
To verify the CA certificate, CRL checking is performed for the CA certificate chain from the
current CA to the root CA.
Examples
# Verify the validity of the CA certificate in PKI domain
aaa
.
<Sysname> system-view