Verifying certificates with CRL checking

  1. Enter system view.

    system-view

  2. Enter PKI domain view.

    pki domain domain-name

  3. (Optional.) Specify the URL of the CRL repository.

    crl url url-string [ vpn-instance vpn-instance-name ]

    By default, the URL of the CRL repository is not specified.

  4. Enable CRL checking.

    crl check enable

    By default, CRL checking is enabled.

  5. Return to system view.

    quit

  6. Obtain the CA certificate.

    See "Obtaining certificates."

    The PKI domain must have a CA certificate before you can verify certificates in it.

  7. (Optional.) Obtain the CRL and save it locally.

    pki retrieve-crl domain domain-name

    To verify a non-root CA certificate and local certificates, the device automatically retrieves the CRL if the PKI domain has no CRL.

    The newly obtained CRL overwrites the old one, if any.

    The obtained CRL is issued by a CA in the CA certificate chain stored in the PKI domain.

  8. Manually verify the validity of the certificates.

    pki validate-certificate domain domain-name { ca | local }