Configuration Procedure; Verifying Pki Certificates; Verifying Certificates With Crl Checking - HP FlexFabric 5930 Series Security Configuration Manual

Hide thumbs Also See for FlexFabric 5930 Series:

Configuration manuals (467 pages)

Command reference manual (87 pages)

Installation manual (73 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

Table of Contents

Configuration procedure

To obtain certificates:

Step

Enter system view.

Import or obtain certificates.

Verifying PKI certificates

Every time a certificate is requested or obtained, or used by an application, it is automatically verified.

If the certificate expires, is not issued by a trusted CA, or is revoked, the certificate is not used.

You can also manually verify a certificate. If it is revoked, the certificate cannot be requested or obtained.

Verifying certificates with CRL checking

CRL checking checks whether a certificate is in the CRL. If yes, the certificate has been revoked and its

home entity is not trusted.

To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository

in the following order: CRL repository specified in the PKI domain, the CRL repository in the local

certificates, the CRL repository in the CA certificate, and the CRL obtained through SCEP.

To use SCEP to obtain the CRL, the CA certificate and the local certificates must be present.

To verify certificates with CRL checking:

Step

Enter system view.

Enter PKI domain view.

(Optional.) Specify the URL

of the CRL repository.

Enable CRL checking.

Return to system view.

Obtain the CA certificate.

Command

system-view

•

Import certificates in offline mode:

pki import domain domain-name { der { ca |

local | peer } filename filename | p12 local

filename filename | pem { ca | local | peer }

[ filename filename ] }

•

Obtain certificates in online mode:

pki retrieve-certificate domain

domain-name { ca | local | peer

entity-name }

Command

system-view

pki domain domain-name

crl url url-string [ vpn-instance

vpn-instance-name ]

crl check enable

quit

See

"Obtaining

certificates."

Remarks

N/A

The pki

retrieve-certificate

command is not saved

in the configuration

file.

Remarks

N/A

By default, the URL of the CRL

repository is not specified.

By default, CRL checking is enabled.

N/A

Table of Contents

Configuration Procedure; Verifying Pki Certificates; Verifying Certificates With Crl Checking - HP FlexFabric 5930 Series Security Configuration Manual

Configuration procedure

Verifying PKI certificates

Verifying certificates with CRL checking

Troubleshooting

Related Manuals for HP FlexFabric 5930 Series

Related Content for HP FlexFabric 5930 Series

Table of Contents