Restrictions and guidelines for certificate verification

When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain. To ensure a successful certificate verification process, the device must have all the PKI domains to which the CA certificates in the certificate chain belong.

The system verifies the CA certificates in the CA certificate chain as follows:

  1. Identifies the parent certificate of the lowest-level certificate.

    Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate.

  2. Locates the PKI domain to which the parent certificate belongs.

  3. Performs CRL checking in the PKI domain to check whether the parent certificate has been revoked. If it has been revoked, the certificate cannot be used.

    This step will not be performed when CRL checking is disabled in the PKI domain.

  4. Repeats the previous steps for upper-level certificates in the CA certificate chain until the root CA certificate is reached.

  5. Verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA.