When CRL checking is enabled:
•
To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save
CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device
obtains the proper CRL from the CA server and saves it locally.
To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current
•
CA to the root CA.
Examples
# Verify the validity of the CA certificate in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificate......
Serial Number:
Issuer:
Subject:
Verify result: OK
Verifying certificate......
Serial Number:
Issuer:
Subject:
Verify result: OK
# Verify the local certificates in the PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa local
Verifying certificate......
Serial Number:
Issuer:
f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
C=cn
O=ccc
OU=ppp
CN=rootca
C=cn
O=abc
OU=test
CN=aca
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
C=cn
O=ccc
OU=ppp
CN=rootca
C=cn
O=ccc
OU=ppp
CN=rootca
bc:05:70:1f:0e:da:0d:10:16:1e
288