Verifying Pki Certificates; Verifying Certificates With Crl Checking - HP VSR1000 Security Configuration Manual

Step
2. Import or obtain certificates.

Verifying PKI certificates

Every time a certificate is requested or obtained, or used by an application, it is automatically verified.
If the certificate expires, is not issued by a trusted CA, or is revoked, the certificate is not used.
You can also manually verify a certificate. If it is revoked, the certificate cannot be requested or obtained.

Verifying certificates with CRL checking

CRL checking checks whether a certificate is in the CRL. If yes, the certificate has been revoked and its
home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects the CRL
repository from the following information. When the CRL repository is found, the selection process stops.
The selection order is as follows:
1. CRL repository specified in the PKI domain.
2. CRL repository in the certificate to be verified.
3. CRL repository in the CA certificate, or CRL repository CRL in the upper-level CA certificate if the
CA certificate is the certificate to be verified.
After the previous selection process, if the CRL repository is not found, the device obtains the CRL through
SCEP. To use SCEP to obtain the CRL, the CA certificate and the local certificates must have been
obtained.
To verify the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA
certificate chain. To ensure a successful certificate verification, the device must contain all the PKI
domains to which the CA certificates in the certificate chain belong.
Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate. After
identifying the parent certificate of a certificate, the system locates the PKI domains to which the parent
certificate belongs. If CRL checking is enabled for the domains, the system checks whether or not the CA
certificate has been revoked. The process continues until the root CA certificate is reached. The system
verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from
the root CA.
To verify certificates with CRL checking:
Step
1. Enter system view.
Command
•
Import certificates in offline mode:
pki import domain domain-name { der { ca |
local | peer } filename filename | p12 local
filename filename | pem { ca | local | peer }
[ filename filename ] }
•
Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
Command
system-view
143
Remarks
The pki
retrieve-certificate
command is not saved
in the configuration
file.
Remarks
N/A