Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order:
CRL repository specified in the PKI domain by using this command.
CRL repository in the certificate that is being verified.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
To verify certificates with CRL checking:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter PKI domain view. | pki domain domain-name | N/A |
3. (Optional.) Specify the URL of the CRL repository. | crl url url-string | By default, the URL of the CRL repository is not specified. |
4. Enable CRL checking. | crl check enable | By default, CRL checking is enabled. |
5. Return to system view. | quit | N/A |
6. Obtain the CA certificate. | See "Obtaining certificates." | N/A |
7. (Optional.) Obtain the CRL and save it locally. | pki retrieve-crl domain domain-name | The newly obtained CRL overwrites the old one, if any. The obtained CRL must be issued by a CA certificate in the CA certificate chain in the current domain. |
8. Verify the validity of the certificates. | pki validate-certificate domain domain-name { ca | local } | N/A |