Configuration Guidelines; Configuration Procedure; Verifying Pki Certificates - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Configuration guidelines
•
To import a local certificate containing an encrypted key pair, you must provide the challenge
password. Contact the CA administrator to obtain the password.
•
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate
and local certificates first.
•
If local or peer certificates already exist, you can obtain new local or peer certificates to
overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for
signature and the other for encryption.
•
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
•
The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the
CA server.
Configuration procedure
To obtain certificates:
Step
1.
Enter system view.
2.
Obtain certificates.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested
or obtained.
When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the
CA certificate chain. To ensure a successful certificate verification process, the device must have all
the PKI domains to which the CA certificates in the certificate chain belong.
The system verifies the CA certificates in the CA certificate chain as follows:
1.
Identifies the parent certificate of the lowest-level certificate.
Each CA certificate contains an issuer field that identifies the parent CA that issued the
certificate.
2.
Locates the PKI domain to which the parent certificate belongs.
3.
Performs CRL checking in the PKI domain to check whether the parent certificate has been
revoked. If it has been revoked, the certificate cannot be used.
This step will not be performed when CRL checking is disabled in the PKI domain.
Command
system-view
•
Import certificates in offline mode:
pki import domain domain-name { der
{ ca | local | peer } filename filename |
p12 local filename filename | pem { ca |
local | peer } [ filename filename ] }
•
Obtain certificates in online mode:
pki retrieve-certificate domain
domain-name { ca | local | peer
entity-name }
301
Remarks
N/A
The pki
retrieve-certificate
command is not saved
in the configuration
file.
Advertisement
Table of Contents
Troubleshooting
