Verifying Certificates Without Crl Checking - HPE FlexNetwork 7500 Series Security Configuration Manual

the parent certificate belongs. If CRL checking is enabled for the domains, the system checks
whether or not the CA certificate has been revoked. The process continues until the root CA
certificate is reached. The system verifies that each CA certificate in the certificate chain is issued by
the named parent CA, starting from the root CA.
To verify certificates with CRL checking:
Step
1. Enter system view.
2. Enter PKI domain view.
3. (Optional.) Specify the URL
of the CRL repository.
4. Enable CRL checking.
5. Return to system view.
6. Obtain the CA certificate.
7. (Optional.) Obtain the CRL
and save it locally.
8. Manually verify the validity
of the certificates.

Verifying certificates without CRL checking

Step
1. Enter system view.
2. Enter PKI domain view.
3. Disable CRL checking.
4. Return to system view.
5. Obtain the CA certificate.
6. Manually verify the validity of
the certificates.
Command
system-view
pki domain domain-name
crl url url-string [ vpn-instance
vpn-instance-name ]
crl check enable
quit
See "Obtaining certificates."
pki retrieve-crl domain
domain-name
pki validate-certificate domain
domain-name { ca | local }
Command
system-view
pki domain domain-name
undo crl check enable
quit
See "Obtaining certificates."
pki validate-certificate domain
domain-name { ca | local }
250
Remarks
N/A
N/A
By default, the URL of the CRL
repository is not specified.
By default, CRL checking is
enabled.
N/A
N/A
The newly obtained CRL overwrites
the old one, if any.
The obtained CRL must be issued
by a CA certificate in the CA
certificate chain in the current
domain.
N/A
Remarks
N/A
N/A
By default, CRL checking is
enabled.
N/A
N/A
This command is not saved in the
configuration file.