Verifying Pki Certificates - HPE FlexNetwork MSR Series Configuration Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
Verifying PKI certificates
A certificate is automatically verified when it is requested, obtained, or used by an application. If the
certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.
You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested
or obtained.
Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and
its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL
repository in the following order:
1.
CRL repository specified in the PKI domain by using the crl url command.
2.
CRL repository in the certificate that is being verified.
3.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA
certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP.
In this scenario, the CA certificate and the local certificates must have been obtained.
When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the
CA certificate chain of the domain. To ensure a successful certificate verification process, the device
must have all the PKI domains to which the CA certificates in the certificate chain belong.
Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate.
After identifying the parent certificate of a certificate, the system locates the PKI domains to which
the parent certificate belongs. If CRL checking is enabled for the domains, the system checks
whether or not the CA certificate has been revoked. The process continues until the root CA
certificate is reached. The system verifies that each CA certificate in the certificate chain is issued by
the named parent CA, starting from the root CA.
To verify certificates with CRL checking:
Step
658. Enter system view.
659. Enter PKI domain view.
660. (Optional.) Specify the URL
of the CRL repository.
661. Enable CRL checking.
662. Return to system view.
663. Obtain the CA certificate.
664. (Optional.) Obtain the CRL
and save it locally.
Command
system-view
pki domain domain-name
crl url url-string [ vpn-instance
vpn-instance-name ]
crl check enable
quit
See
"Obtaining
certificates."
pki
retrieve-crl
domain-name
311
Remarks
N/A
N/A
By default, the URL of the CRL
repository is not specified.
By
default,
enabled.
N/A
N/A
The newly obtained CRL overwrites
the old one, if any.
domain
The obtained CRL must be issued
by a CA certificate in the CA
certificate chain in the current
domain.
CRL
checking
is
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?