Configuration Procedure; Verifying Pki Certificates; Verifying Certificates With Crl Checking - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
•
obtained has been revoked, the certificate cannot be obtained.
The device compares the validity period of a certificate with the local system time to determine
•
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA
server.
Configuration procedure
To obtain certificates:
Step
1.
Enter system view.
2.
Import or obtain certificates.
Verifying PKI certificates
Every time a certificate is requested or obtained, or used by an application, it is automatically verified.
If the certificate expires, is not issued by a trusted CA, or is revoked, the certificate is not used.
You can also manually verify a certificate. If it is revoked, the certificate cannot be requested or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and its
home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository
in the following order:
1.
CRL repository specified in the PKI domain by using this command.
2.
CRL repository in the certificate that is being verified.
3.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this
scenario, the CA certificate and the local certificates must have been obtained.
To verify certificates with CRL checking:
Step
1.
Enter system view.
Command
system-view
•
Import certificates in offline mode:
pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local
filename filename | pem { ca | local | peer }
[ filename filename ] }
•
Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
Command
system-view
195
Remarks
N/A
The pki
retrieve-certificate
command is not saved
in the configuration
file.
Remarks
N/A
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
