Retrieving A Certificate Manually; Configuring Pki Certificate Verification - HP 5120 SI Series Security Configuration Manual
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
Retrieving a certificate manually
You can download CA certificates and local certificates and save them locally. To do so, use either the
online mode or the offline mode. In offline mode, you must retrieve a certificate by an out-of-band means
like FTP, disk, or email, and then import it into the local PKI system.
Certificate retrieval serves two purposes:
Locally store the certificates associated with the local security domain for improved query efficiency
•
and reduced query count,
Prepare for certificate verification.
•
Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.
Follow these steps to retrieve a certificate manually:
To do...
Enter system view
Retrieve a
certificate
manually
CAUTION:
•
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted from
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to
delete the existing CA certificate and the local certificate first.
The pki retrieval-certificate configuration will not be saved in the configuration file.
•
Be sure that the device system time falls in the validity period of the certificate so that the certificate is
•
valid.
Configuring PKI certificate verification
A certificate needs to be verified before being used. Verifying a certificate will check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
Before verifying a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
To do...
Enter system view
Enter PKI domain view
Use the command...
system-view
pki retrieval-certificate { ca | local } domain
Online
domain-name
pki import-certificate { ca | local } domain
Offline
domain-name { der | p12 | pem } [ filename
filename ]
Use the command...
system-view
pki domain domain-name
228
Remarks
—
Required
Use either command.
Remarks
—
—
Advertisement
Table of Contents
Troubleshooting
