Table of Contents
Advertisement
Operation Manual – PKI
H3C S3610&S5510 Series Ethernet Switches
Follow these steps to retrieve a certificate manually:
Enter system view
Retrieve a
certificate
manually
Caution:
If a PKI domain has already a CA certificate, you cannot retrieve another CA
certificate for it. This is in order to avoid inconsistency between the certificate and
enrollment information due to related configuration changes. To retrieve a new CA
certificate, use the pki delete-certificate command to delete the existing CA
certificate and local certificate first.
The pki retrieval-certificate configuration will not be saved in the configuration file.
1.7 Configuring PKI Certificate Validation
A certificate needs to be validated before being used. Validating a certificate is to check
that the certificate is signed by the CA and that the certificate has neither expired nor
been revoked.
Before validating a certificate, you need to retrieve the CA certificate.
You can specify whether CRL checking is required in certificate validation. If you enable
CRL checking, CRLs will be used in validation of a certificate.
I. Configuring CRL-checking-enabled PKI certificate validation
Follow these steps to configure CRL-checking-enabled PKI certificate validation:
Enter system view
Enter PKI domain view
Specify the URL of the
CRL distribution point
To do...
system-view
pki retrieval-certificate { ca |
Online
local } domain domain-name
pki import-certificate { ca | local }
Offline
domain domain-name { der | p12 |
pem } [ filename filename ]
To do...
system-view
pki domain
domain-name
crl url url-string
Use the command...
Use the command...
1-11
Chapter 1 PKI Configuration
Remarks
—
Required
Use either
command
Remarks
—
—
Optional
No CRL distribution point
URL is specified by
default.
Advertisement
Chapters
Table of Contents
Troubleshooting
