Configuration Procedure; Verifying Pki Certificates; Verifying Certificates With Crl Checking - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
If a PKI domain already has local or peer certificates, you can still perform the obtain operation,
•
and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domain
can have two local certificates, one for signature and the other for encryption.
•
If CRL checking is enabled, CRL checking is triggered when you obtain a certificate. If the certificate
to be obtained has been revoked, the certificate cannot be obtained.
The device compares the validity period of a certificate with the local system time to determine
•
whether the certificate is valid. Make sure the system time of the device is synchronized with the CA
server.
Configuration procedure
To obtain certificates:
Step
1.
Enter system view.
2.
Import or obtain certificates.
Verifying PKI certificates
Every time a certificate is requested or obtained, or used by an application, it is automatically verified.
If the certificate expires, is not issued by a trusted CA, or is revoked, the certificate is not used.
You can also manually verify a certificate. If it is revoked, the certificate cannot be requested or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If yes, the certificate has been revoked and its
home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository
in the following order: CRL repository specified in the PKI domain, the CRL repository in the local
certificates, the CRL repository in the CA certificate, and the CRL obtained through SCEP.
To use SCEP to obtain the CRL, the CA certificate and the local certificates must be present.
To verify certificates with CRL checking:
Step
1.
Enter system view.
2.
Enter PKI domain view.
Command
system-view
•
Import certificates in offline mode:
pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local
filename filename | pem { ca | local | peer }
[ filename filename ] }
•
Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
Command
system-view
pki domain domain-name
109
Remarks
N/A
The pki
retrieve-certificate
command is not saved
in the configuration
file.
Remarks
N/A
N/A
Advertisement
Table of Contents
Troubleshooting
