HPE FlexFabric 7900 Series Security Command Reference page 162

Parameters
domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31
characters. The domain name cannot contain the following special characters: tilde (~), asterisk (*),
back slash (\), vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation
marks ("), and apostrophe (').
ca: Specifies the CA certificate.
local: Specifies the local certificates.
Usage guidelines
Generally, certificates are automatically verified when you request, obtain, or import them, or when
an application uses PKI.
You can also use this command to manually verify a certificate in the following aspects:
•
Whether the certificate is issued by a trusted CA.
•
Whether the certificate expires.
•
Whether the certificate is revoked if CRL checking is enabled.
When CRL checking is enabled:
•
To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally
save CRLs. If a CRL is found, the device loads the CRL to the PKI domain. Otherwise, the
device obtains the CRL from the CA server and saves it locally.
•
To verify the CA certificate, CRL checking is performed for the CA certificate chain from the
current CA to the root CA.
Examples
# Verify the validity of the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificate......
Serial Number:
Issuer:
Subject:
Verify result: OK
Verifying certificate......
Serial Number:
Issuer:
f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
C=cn
O=ccc
OU=ppp
CN=rootca
C=cn
O=abc
OU=test
CN=aca
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
C=cn
O=ccc
OU=ppp
CN=rootca
154