To do...
Retrieve the CA certificate
Retrieve CRLs
Verify the validity of a certificate
NOTE:
The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
•
CRL update period setting manually configured on the switch is prior to that carried in the CRLs.
The pki retrieval-crl domain command cannot be saved in the configuration file.
•
•
The URL of the CRL distribution point does not support domain name resolution.
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification:
To do...
Enter system view
Enter PKI domain view
Disable CRL checking
Return to system view
Retrieve the CA certificate
Verify the validity of the certificate
Destroying a local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
Follow these steps to destroy a local RSA key pair:
To do...
Enter system view
Destroy a local RSA key pair
NOTE:
For more information about the public-key local destroy command, see
Use the command...
See
"Retrieving a certificate
manually"
pki retrieval-crl domain
domain-name
pki validate-certificate { ca | local }
domain domain-name
Use the command...
system-view
pki domain domain-name
crl check disable
quit
See
"Retrieving a certificate
manually"
pki validate-certificate { ca | local }
domain domain-name
Use the command...
system-view
public-key local destroy rsa
249
Remarks
Required
Required
Required
Remarks
—
—
Required
Enabled by default
—
Required
Required
Remarks
—
Required
Security Command Reference
.