Configuration Procedure; Verifying Pki Certificates; Verifying Certificates With Crl Checking - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
•
If a CA certificate already exists locally, you cannot obtain it again in online mode. If you want to
obtain a new one, use the pki delete-certificate command to remove the existing CA certificate
and local certificates first.
•
If local or peer certificates already exist, you can obtain new local or peer certificates to
overwrite the existing ones. If RSA is used, a PKI domain can have two local certificates, one for
signature and the other for encryption.
•
If CRL checking is enabled, obtaining a certificate triggers CRL checking. If the certificate to be
obtained has been revoked, the certificate cannot be obtained.
•
The device compares the validity period of a certificate with the local system time to determine
whether the certificate is valid. Make sure the system time of the device is synchronized with the
CA server.
Configuration procedure
To obtain certificates:
Step
1.
Enter system view.
2.
Obtain certificates.
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested
or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and
its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL
repository in the following order:
1.
CRL repository specified in the PKI domain by using this command.
2.
CRL repository in the certificate that is being verified.
3.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP.
In this scenario, the CA certificate and the local certificates must have been obtained.
To verify certificates with CRL checking:
Command
system-view
•
Import
certificates
pki import domain domain-name { der
{ ca | local | peer } filename filename |
p12 local filename filename | pem { ca |
local | peer } [ filename filename ] }
•
Obtain
certificates
pki
retrieve-certificate
domain-name { ca | local | peer
entity-name }
235
Remarks
N/A
in
offline
mode:
The
retrieve-certificate
command is not saved
in
in
online
mode:
file.
domain
pki
the
configuration
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
